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Chapter 1 

Introduction 



During the past few years, the technology for formal specification and verification of commu- 
nication protocols has matured to the point where we believe that it now provides practical 
assistance for protocol design and validation. Several models for distributed systems in gen- 
eral and communication protocols in particular have been developed, and recent advances in- 
clude formal models that allow reasoning about untimed systems as well as timed systems, e.g., 
[AL92a, GSSL93, LV93a, LV93b]. 

In connection with these models a host of proof techniques have been developed for proving 
that one protocol implements another. One class of proof techniques is the simulation techniques 
(including refinement mappings, and forward and backward simulations) [AL91, GSSL93, Jon91, 
LV92, LV93a, LV93b]. 

In this work, we show how one approach to formal specification and verification of distributed 
systems — the live (timed) I/O automata of [GSSL93] — can be used to verify an important class 
of communication protocols — those for reliable at-most-once message delivery. 

Thus, the report has two main parts: first, the formal framework of [GSSL93] is presented 
and augmented with additional theory (including a new temporal logic). Second, we consider the 
verification example. The purpose of our work is to provide better understanding, documentation 
and proof for the relaible at-most-once message delivery protocols, and to test the adequacy of 
the formal framework. 

Formal Framework 

When formally developing new protocols or proving correctness of existing ones with respect 
to some specification, a stepwise approach is usually used: the specification is given in a very 
abstract manner in which abstract data types are used and where possibly no distributed struc- 
ture is present. In a series of development steps this specification is refined (or implemented) 
by introducing more low-level data types and by introducing a distributed view of the system, 
where different nodes (protocol entities) are connected by more or less reliable channels. 

By using a formal approach to systems specification, it is possible to prove formally that a 
low-level (concrete) protocol correctly implements the high-level (abstract) specification. Such 
a proof is performed by proving that each level in the step-wise development is correct with 
respect to (i.e., implements) the next more abstract level. This approach to verification implies 
that the task of proving correctness of a complicated protocol is split into more managerable 
subtasks, and this greatly reduces the complexity of the overall proof. 

The models of [GSSL93] for untimed and timed systems use an automaton (or state machine) 
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to express safety properties. A safety property ensures that the system never does anything 
wrong by specifying the steps the system is allowed to perform during execution. However, a 
safety requirement does not guarantee that the system does anything at all. For that purpose 
the models of [GSSL93] contain an extra liveness condition. The liveness condition restricts 
the long-term behavior of the system by specifying what must eventually happen. An example 
of a liveness condition is the requirement that each process in a parallel system be given fair 
chances to proceed. In timed systems it is furthermore possible to specify timing requirements 
like deadlines, response times, etc.. 

The models of [GSSL93] are entirely semantic: they describe an abstract view of how dis- 
tributed systems behave when executed. Thus, they do not offer any syntax for writing down 
objects of the models. Such a syntax is presented in this work: 



• 



• 



For writing down the automaton part of the models we use a Pascal-like notation which 
makes our specifications look close to traditional ways of describing protocols for dis- 
tributed systems. 

The liveness part of the models is specified using the language of an extended temporal logic 
that we develop. This approach has the advantage that parts of the proofs of correctness 
can be performed using rules of the logic. 

An important property of the models of [GSSL93] is that they are compositional . This means 
that each component (e.g., node) in a complex system can be specified separately and that 
we can implement each component separately and yet obtain an implementation of the entire 
system. This enables a modular approach to systems specification and verification. 

We test the adequacy of the models and proof techniques by formalizing two existing protocols 
for solving the at-most-once message delivery problem and showing how these protocols can be 
proved correct. 

The At-Most-Once Message Delivery Problem 

The at-most-once message delivery problem is that of delivering a sequence of messages submit- 
ted by a user at one location to a user at another location. Ideally, we would like to insist that 
all messages be delivered in the order in which they are sent, each exactly once, and that an 
acknowledgement be returned for each delivered message. 1 

Unfortunately, it is expensive to achieve these goals in the presence of failures (e.g., node 
crashes). In fact, it is impossible to achieve them at all unless some change is made to the 
stable state (i.e., the state that survives a crash) each time a message is delivered. To permit 
less expensive solutions, we weaken the statement of the problem slightly. We allow some 
messages to be lost when a node crash occurs; however, no messages should otherwise be lost, 
and those messages that are delivered should not be reordered or duplicated. (The specification 
is weakened in this way because message loss is generally considered to be less damaging than 
duplicate delivery.) Now it is required that the user receive either an acknowledgement that the 
message has been delivered, or in the case of crashes, an indication that the message might have 
been lost. 

There are various ways to solve the at-most-once message delivery problem. All are based on 
the idea of tagging a message with an identifier and transmitting it repeatedly to overcome the 



Our definition of at-most-once message delivery is different from what some people call at-most-once message 
delivery in that we include acknowledgements and require messages to be delivered in order. 



unreliability of the channel. The receiver 2 keeps a stock of "good" identifiers that it has never 
accepted before; when it sees a message tagged with a good identifier, it accepts it, delivers 
it, and removes that identifier from the set. Otherwise, the receiver just discards the message, 
perhaps after acknowledging it. In order for the sender to be sure that its message will be 
delivered rather than discarded, it must tag the message with a good identifer. What makes 
the implementations tricky is that the receiver will be keeping track of at least some of its good 
identifiers in volatile (non-stable) memory, which gets lost in case the receiver node crashes. But 
the sender does not immediately learn about the crash, so it may go on using these identifers and 
thus transmit messages that the receiver will reject. Different protocols use different methods 
to keep the sender and the receiver more or less in agreement about what identifiers to use. 

A desirable property, which is not directly related to correctness, is that the implementations 
offer a way of cleaning up "old" information when this cannot affect the future behavior. 

In this work, we consider two protocols that are important in practice: the Clock-Based 
Protocol (which we call C) of Liskov, Shrira and Wroclawski [LSW91] and the Five-Packet 
Handshake Protocol (which we call H) of Belsnes [Bel76]. The latter is the standard protocol for 
setting up network connections, used in TCP, ISO TP-4, and many other transport protocols. 
It is sometimes called the three-way handshake, because only three packets are needed for 
message delivery; the additional packets are required for acknowledgement and cleaning up the 
state. The former protocol was developed as an example to show the usefulness of clocks in 
network protocols [Lis91] and has been implemented at M.I.T.. Both protocols are sufficiently 
complicated that formal specification and proof seem useful. 

Survey of the Example 

We express both protocols, H and C, as well as the formal specification S of the at-most-once 
message delivery problem, in terms of the models of [GSSL93]. 

Although the two protocols appear to be quite different, we have found that both can be 
expressed formally as implementations of a common Generic Protocol G, which, in turn, is an 
implementation of the problem specification. To prove that G implements the specification, for 
proof-technical reasons we introduce an additional level of abstraction, the Delayed-Decision 
Specification D. This is depicted in Figure 1.1. Introducing intermediate levels of abstraction, 
like G and D, is a general proof strategy that allows large, complicated proofs to be split into 
smaller and more managerable subproofs. 

The specification S is stated in the untimed model of [GSSL93] whereas the Clock-Based 
Protocol C uses the timed model. This apparent model inconsistency is resolved by considering 
S to be a timed system that does not put any constraints in real time. In [GSSL93] certain 
embedding results provide the formal basis for moving between the timed and untimed model. 

In this report we provide almost complete proofs of correctness. Some parts of the proofs 
are omitted however but we treat all different kinds of proofs and provide informal justification 
for the missing parts. 

Outline of the Report 

The report is structured as follows. In Part I we consider the formal framework: Chapter 2 
gives a brief introduction to the models of [GSSL93] and the embedding results. Chapters 3 and 



We denote by "receiver" the protocol entity that is situated on the receiver node, and use phrases like "the 
user at the receiver end" to denote the user that communicates with the receiver. Correspondingly for "sender". 
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Overview of the levels of abstraction. 



4 describe the syntax we use for specifying systems: first, in Chapter 3, we define an extended 
temporal logic, and then, in Chapter 4, we specifically show how this temporal logic is used 
to specify liveness conditions. Chapter 5 describes the proof techniques we use when proving 
correctness of the protocols. These techniques are mainly taken from [GSSL93]. 

The remaining part of the report Part II deals with the at-most-once message delivery 
example. First, in Chapter 6, we present the formal specification S of the at-most-once message 
delivery problem. In Chapter 7 we present the Delayed-Decision Specification D and show that 
it correctly implements S. Chapters 8 — 10 then formally specify the G, H, and C levels and 
consider their correctness. 

Finally, in Chapter 11, we give concluding remarks. 

The report contains three appendices. Appendix A introduces some basic notation and 
should be read before the rest of the report. Appendix B and Appendix C contain proofs of 
certain results in the main parts of the report. 
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The Formal Framework 



Chapter 2 

The Model 



To make this report self-contained, we give a brief presentation of the operational models for 
distributed systems that are developed in [GSSL93]. We give all formal definitions and results 
that are needed but refer to [GSSL93] for details about, e.g., proofs and for a more thorough 
treatment of the models. 

We first present the model for untimed systems. Then the model for timed systems is 
presented, and finally we show how an untimed system can be thought of as a timed system 
that allows time to pass arbitrarily. 

2.1 The Model for Untimed Systems 

The model for untimed systems, called live I/O automata, which is developed in [GSSL93] 
consists of an automaton part (or state machine), with a labeled transition relation, and a 
liveness condition. The automaton specifies the possible steps of the system, i.e., it specifies 
what is allowed to happen, thus, the safety of the system. The liveness condition restricts the 
long-term behavior of the system by specifying what must eventually happen. 

The liveness condition can be seen as a way of restricting the way the automaton is "executed" 
whenever it is working properly. A liveness condition for a system of two parallel processes might 
require that each component be given the possibility of making progress infinitely often. In this 
way executions where one component wishes to proceed but is never given a chance are ruled 
out. This kind of liveness is known as weak fairness and is implemented on a physical machine 
by executing the parallel processes on separate processors or by using a fair scheduler. In the 
examples in this work we will see examples of more complicated liveness requirements. 

As mentioned above the automaton part has a labeled transition relation. This means that 
each step of the automaton is labeled by a name, called an action. The set of actions are 
partitioned into external and internal actions, where only the external actions are visible from 
the environment. The model is event-based in the sense that communication between parallel 
components of a system or between system and environment is modeled by joint actions. That 
is, communication is modeled as the joint executions of steps labeled by the same action. Thus, 
the states cannot be observed. For this reason correctness is based on the sequences of external 
actions (called traces) that can occur when the system is working properly, i.e., when its liveness 
condition is satisfied. 

To express a notion of system vs. environment, the external actions are partitioned into in- 
put and output actions, i.e., an I/O distinction is introduced. Intuitively output (and internal) 
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actions are controlled by the system, and are thus called locally- controlled actions, whereas input 
actions are controlled by the environment of the system. Since a system cannot control its envi- 
ronment, live I/O automata are required to be environment-free which intuitively means that no 
matter which inputs the environment provides during execution, the system can perform locally- 
controlled actions and in this way satisfy its liveness condition. Thus, the environment-freedom 
requirement ensures that live I/O automaton do not have liveness conditions like: "sooner or 
later input a arrives". 

The environment-freedom requirement also implies that the automaton part of a live I/O 
automaton must be input-enabled which means that the automaton should be able to receive 
any input in any state. 

Even though our live I/O automaton model is not as general as a model without I/O dis- 
tinction and the environment-freedom requirement, a large number of systems can be specified 
using this model. In particular many distributed systems have a clear distinction between the 
output from the system and the input from the environment, and furthermore such systems are 
usually designed to be able to receive input at any time since processes are usually connected 
by networks that are not capable of buffering messages. In [GSSL93] a technical justification of 
environment-freedom is offered. This justification deals with the fact that without I/O distinc- 
tion and environment-freedon, a trace-based correctness notion as the one mentioned above is 
not adequate in that it cannot form the base of a notion of implementation that corresponds to 
our intuition. Furthermore, there exists simpler proof techniques for live I/O automata than for 
more general models. 

We first present the automaton part, called safe I/O automata. Then we add the liveness 
condition, discuss the notion of implementation, and state an important substitutivity property 
of the model. 

2.1.1 Safe I/O Automata 

Definition 2.1 (Safe I/O Automaton) 

A safe I/O automaton A consists of four components: 

A set states(A) of states. 

A nonempty set start (A) of start states (start (A) C states(A)). 



• 



• 



An action signature sig(A) = (in(A), out (A), int(A)) of disjoint sets of input, output, and 
internal actions, respectively. Denote by ext(A) the set in(A) U out(A) of external actions, 
by local(A) the set out(A) U int(A) of locally-controlled actions, and by acts(A) the set 
ext(A) U int(A) of actions. 

A transition relation steps(A) C states(A) X acts(A) X states(A). The transition relation 
steps(A) must have the property that for each state s G states(A) and each input action 
a G in(A) there exists a state s' G states(A) such that (s,a, s') G steps(A). A is said to be 
input-enabled. 



An action a is enabled in a state s if there exists a state s' such that (s,a, s') is a step, i.e., 
(s,a,s') G steps(A). A set A of actions is said to be enabled in state s if there exists an action 
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a £ A such that a is enabled in s. An action or set of actions which is not enabled in a state s 
is said to be disabled in s. 

An execution fragment a of a safe I/O automaton A is a (finite or infinite) sequence of alternating 
states and actions starting with a state and, if the execution fragment is finite, ending in a state 

a = s ais 1 a 2 s 2 • • • 

where each (s,, a i+ i, s 8 +i) G steps(A). Denote by fstate(a) the first state of a and, if a is finite, 
denote by Istate(a) the last state of a. Furthermore, denote by frag* (A), frag w (A), and frag(A) 
the sets of finite, infinite and all execution fragments of A, respectively. An execution is an 
execution fragment whose first state is a start state. Denote by exec*(A), exec w (A) and exec(A) 
the sets of finite, infinite and all execution of A, respectively. A state s of A is reachable if there 
exists a finite execution of A that ends in s. 

A finite execution fragment o^ = s aiSi ■ ■ -a n s n of A and an execution fragment a 2 = 
s n a n+ is n+ i ■ ■ ■ of A can be concatenated . In this case the concatenation, written o^ ~ a 2 , is 
the execution fragment So a i s i • • • a n s n a n+i s n+i • • •• Clearly, o^ ~ a 2 is an execution iff o^ is an 
execution. 

An execution fragment o^ of A is a prefix of an execution fragment a 2 of A, written «i < a 2 , 
if either o^ = a 2 or o^ is finite and there exists an execution fragment a[ of A such that 
a 2 = ai ~ o^. 

Let a = s ais 1 a 2 s 2 • • • be an execution fragment. The length of a is the number of actions 
occurring in a. Thus, 

, , A J n if a is finite and ends in s n 
1 oo if a is infinite 

Define the ith prefix and ith suffix of a, for < i < |ct | x , as 

i A 

OL L' ^ fSo&i-S]. ' ' ' ^i'^i 

J s 8 -a i+1 s i+1 • • • if i < |a| 



a 



3| a | if a is finite and i = \a\ 



The trace of an execution fragment a of A, written trace A (a), or just trace(a) when A is clear, 
is the list obtained by restricting a to the set of external actions of A, i.e., trace(a) = a \ ext(A). 
For a set E of executions of A, denote by traces A (E), or just traces(E) when A is clear from 
context, the set of traces of the executions in E. We say that (3 is a trace of A if there exists an 
execution a of A with trace(a) = (3. Denote by traces*(A), traces" (A) and traces(A) the sets of 
finite, infinite and all traces of A, respectively. Note, that a finite trace might be the trace of an 
infinite execution. Furthermore, for any list / of actions of A, define trace A (l), or just trace(l) 
when A is clear from context, to be / f ext(A). 

When specifying complex distributed systems, it is important to be able to specify each process 
separately and then obtain the specification of the entire system as the parallel composition of 
the specifications of the processes. This modular approach greatly reduces the complexity of 
specifying large systems. The parallel composition operator in this model uses a synchronization 
style where automata synchronize on their common actions and evolve independently on the 
others. It is required that each external action be under the control of at most one automaton, 



The index i ranges over the natural numbers so if | or | = oo, then i < | or | is the same as i < |a|. 
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thus, parallel composition is defined only for compatible safe I/O automata. Compatibility 
requires that each action be an output action of at most one safe I/O automaton. Furthermore, 
to avoid action name clashes, compatibility requires that internal action names be unique. 

Definition 2.2 (Parallel composition of safe I/O automata) 

Safe I/O automata Ai, . . . , A N are compatible if for all 1 < i, j ' < N with i ^ j 

1. out(Ai)C\ out(Aj) = 

2. int(Ai) n acts(Aj) = 

The parallel composition A x || • • • || A N of compatible safe I/O automata Ai, . . . , A N is the safe 
I/O automaton A such that 

1. states(A) = states(Ai) X • • • X states(Ajv) 

2. start(A) = start(Ai) X • • • X sfarf(Ajv) 

3. out(A) = out(A 1 ) U • • • U out(A N ) 

4. m(A) = (m(Ai) U • • • U in(A N )) \ out {A) 

5. int(A) = mf(Ai) U • • • U mf(Ajv) 

6. ((si, • • • , Sat), a, (s[, . . . , Sjy)) G steps(A) iff for all 1 < i < N 

(a) if a G acts(Ai) then (s 8 ,a,s'.) G steps(Ai) 

(b) if a ^ acfo(Aj) then s, = s'. 



The executions of the parallel composition of compatible safe I/O automata A = Ai\\ . . . \\A n 
can be projected to the component automata. First, for any state s of A, denote by s\Ai the 
state of A, obtained by projecting s to A,. Then, for any execution a of A denote by a\A, the 
execution of A, obtained from a by projecting the states in a to A, and by removing each action 
not in acts(Ai) together with the state preceding the action. 

Parallel composition is typically used to build complex systems based on simpler components. 
Some actions are meant to represent internal communications between the subcomponents of 
the complex system. The action hiding operator allows us to change some external actions into 
internal ones. 

Definition 2.3 (Action hiding) 

Let A be a safe I/O automaton and let A be a set of actions such that A C local(A). Then 
define A \ A to be the safe I/O automaton such that 

1. states(A \ A) = states(A) 

2. start(A \ A) = start(A) 

3. in(A \A) = in(A) 
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4. out (A \ A) = out(A)\A 

5. int(A \A) = int(A) U A 

6. steps(A \ A) = steps(A) 



The final operator on safe I/O automata is action renaming. Several processes might be identical 
except for their actions' names. A classical example is given by the processes of a token ring 
communication network. Such processes could be easily specified by first defining a generic 
process and then creating an instance for each process through renaming of the actions. Action 
renaming can also be used to resolve name clashes that lead to incompatibilities in Definition 2.2. 

Definition 2.4 (Action renaming) 

A mapping p from actions to actions is applicable to a safe I/O automaton A if it is injective 
and acts(A) C dom(p). Given a safe I/O automaton and a mapping p applicable to A, we define 
p{A) to be the safe I/O automaton such that 

1. states(p(A)) = states(A) 

2. start(p(A)) = start(A) 

3. in(p(A)) = p{in{A)) 

4. out(p(A)) = p(out(A)) 

5. int(p(A)) = p(int(A)) 

6. steps(p(A)) = {(s,p(a),s r ) \ (s,a,s r ) £ steps(A)} 



2.1.2 Live I/O Automata 

We have now described the safety component of a live I/O automaton. The liveness condition 
should specify which executions of a safe I/O automaton are considered to represent a properly 
working system. For this reason a liveness condition, in this model, is a subset of the executions of 
the safe I/O automaton. However, a liveness condition is used to restrict the long-term behavior 
of a system, i.e., to specify what must happen sooner or later. Thus, any finite execution of 
the safe I/O automaton should have an extension in the liveness condition. In other words, no 
matter what the safe I/O automaton has done up to some time, there is still a way for it to 
behave properly according to the liveness condition. 

This definition of a liveness condition only ensures that the liveness condition does not 
introduce more safety than is already specified by the safe I/O automaton. It does not, however, 
capture the fact that a live I/O automaton must not constrain its environment. To express this 
idea (the environment-freedom condition) formally, we set up a game between the system and 
its environment, and the system is then environment-free if it can win the game no matter what 
moves the environment performs, i.e., if the system has a winning strategy. The environment 
moves by providing any finite number of input actions, and the system moves by performing a 
local step, i.e., a step labeled by a locally-controlled action, or by making no step (a _L move). 
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The fact that the environment is allowed to provide any finite number of input actions at any 
move expresses that the environment can be arbitrarily but not infinitely fast compared to the 
system. Note also that the environment provides actions and not steps. This is because the 
environment has no control over the state of the system: the environment provides the action 
and the system decides which of the possible states it should reach in response. 

The behavior of the system during the game is determined by a strategy. A strategy is a 
pair (g,f) of functions, where g determines which state to reach in response to an input action, 
and / determines the moves of the system. The notion of strategy is formalized as follows. 

Definition 2.5 (Strategy) 

Consider any safe I/O automaton A. A strategy defined on A is a pair of functions (g,f) where 
g : exec* (A) X in(A) — ► states(A) and / : exec* (A) — ► (local(A) X states(A)) U {_l_} such that 

1. g(a,a) = s implies (lstate(a),a,s) £ steps(A) 

2. f(a) = (a,s) implies (lstate(a),a,s) £ steps(A) 



The moves of the environment during the game are represented as an infinite sequence X, called 
an environment sequence, of input actions interleaved with infinitely many A symbols. The 
symbol A is used to represent the points at which the system is allowed to move. The occurrence 
of infinitely many A symbols in an environment sequence guarantees that each environment move 
consists of only finitely many input actions. 

Remember from the discussion above that after any finite execution the system should still 
have a way of behaving properly. This is reflected in the following definition of the outcome of 
a strategy. 

Definition 2.6 (Outcome of a strategy) 

Let A be a safe I/O automaton and (g,f) a strategy defined on A. Define an environment 
sequence for A to be any infinite sequence of symbols from in(A) U {A} with infinitely many 
occurrences of A. Then define R( g j), the next-function induced by (g,f), as follows: for any 
finite execution a of A and any environment sequence X for A, 

(aas,X r ) \1X = XX' , f(a) = (a,s) 
(a,T) ifl = XX', f(a) = _L 
(aas,X r ) if I = aX' , g(a,a) = s 



R (gJ)( a ^)= < 



Let a be any finite execution of A and X any environment sequence for A. The outcome sequence 
of (g,f) given a and X is the unique infinite sequence (a n ,X n ) n>0 that satisfies: 



{a°,X°) = (a,X) and 



• For all n > 0, (a n ,X n ) = R (q f) (a n - 1 ,X n - 1 ) 
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Note, that (a n ) n >o forms a chain ordered by prefix. 

The outcome 0( g j/a,T) of the strategy (g, /) given a and X is the execution linijj^oo a n , where 
(a n ,X n ) n>0 is the outcome sequence of (g,f) given a and X and the limit is taken under prefix 
ordering. 



It is easy to see that any outcome of a strategy is an execution of the safe I/O automaton. 
The concepts of strategies and outcomes are used to define formally the environment-freedom- 
property. 

Definition 2.7 (Environment-freedom) 

A pair (A,L), where A is a safe I/O automaton and L C exec(A), is environment-free if there 
exists a strategy (g, /) defined on A such that for any finite execution a of A and any environment 
sequence X for A, the outcome 0( g j/a,X) is an element of L. The strategy (g,f) is called an 
environment-free strategy for (A, £). 



Clearly, if a pair (A, L) is environment-free, then any finite execution of A has an extention in 
L. Finally we can present the notion of live I/O automaton. 

Definition 2.8 (Live I/O automata) 

A live I/O automaton is a pair (A, L) where A is a safe I/O automaton and L C exec(A) such 
that (A, L) is environment-free. We refer to the executions in L as the live executions of (A, L). 
Similarly the traces in traces(L) are referred to as the live traces of (A,L). 



In Chapter 4 we will define some standard liveness conditions, like weak fairness, for safe I/O 
automata and show once and for all that the resulting pairs are environment-free. 

The operators on safe I/O automata can now be extended to live I/O automata. For parallel 
composition the liveness condition for a composed system consists of all those executions whose 
projection to the components yield live executions of the components. That corresponds to the 
intuitive idea that a composed system works properly if all components work properly. 

Definition 2.9 (Parallel composition of live I/O automata) 

Live I/O automata (A l7 Li), . . . , (A N , L N ) are compatible if the safe I/O automata Ai, . . . , A N 
are compatible. 

The parallel composition (Ai,Li) || • • • || (A N ,L N ) of compatible live I/O automata (Ai,Li), 
. . . , (A N , L N ) is defined to be the pair (A, L) where A = A x || • • • || A N and L = {a £ exec(A) \ 
a\A 1 e ii, . . .,a\A N G L N }. 



Definition 2.10 (Action hiding of live I/O automata) 
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Let (A, L) be a live I/O automaton and let A be a set of actions such that A C local(A). Then 
define (A, i) \ .4 to be the pair (A \ A, L). 



Definition 2.11 (Action renaming of live I/O automata) 

A mapping p from actions to actions is applicable to a live I/O automaton (A, L) if it is applicable 
to A. Let a be any execution of A. Define p(a) to be the sequence that results from replacing 
each occurrence of every action a in a by p{a). Given a live I/O automaton (A, L) and a mapping 
p applicable to (A,L), we define p((A,L)) to be the pair (p(A), p(L))? 



An important property of the operators is that they are closed for live I/O automata in the 
sense that they produce new live I/O automata. 

Proposition 2.12 (Closure of parallel composition) 

Let (Ai, Li), . . . , (A N , L N ) be compatible live I/O automata. Then (Ai,Li) || • • • || (A N ,L N ) is 
a live I/O automaton. 



Proposition 2.13 (Closure of action hiding) 

Let (A,L) be a live I/O automaton and let A C local(A). Then (A,L) \A is a live I/O 
automaton. 



Proposition 2.14 (Closure of action renaming) 

Let (A,L) be a live I/O automaton and let p be a mapping applicable to (A,L). Then p((A,L)) 
is a live I/O automaton. 



2.1.3 Correctness 

The notion of correct implementation between live I/O automata is based on their live traces. 
A five I/O automaton (A,L) is said to correctly implement a live I/O automaton (B,M), with 
the same input and output actions, if all live traces of (A,L) are also live traces of (B,M). 
This correctness notion ensures that whatever (A,L) does, (B,M) could have done the same. 
That is, (A,L) does nothing wrong which in other words means that (A,L) satisfies the safety 
specified by (B,M). Furthermore, the correctness notion also guarantees that (A,L) in fact 
does something because the correctnotion is based on live traces, i.e., traces where something 
"good" happens. 

Sometimes one is not interested in the liveness of a system and therefore specifies a system 
as a safe I/O automaton. One safe I/O automaton is said to safely implement a safe I/O 



As notational convention we allow a function to be applied to subsets of elements from the domain of the 
function. The result is then the set obtained by applying the function to each element of the subset. Thus, 

p(i) = WE)|E€i}. 
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automaton B, with the same input and output actions, if all traces of A are also traces of B. 
This notion of safe implementation does not guarantee that A does anything at all. In fact, a 
safe I/O automaton A with one state, no local steps, and "self-loop" steps for each of its input 
actions, is a safe implementation of any safe I/O automaton with the same input and output 
actions. The notion of safe implementation trivially extends to live I/O automata. 

Definition 2.15 (Implementation relations) 

Given two live I/O automata (A, L) and (B, M) such that in(A) = in(B) and out(A) = out(B), 
define the following implementation relations: 



Safe: 


A\Z S B 


iff 


traces(A) C traces(B) 


Safe: 


(A,L)n s (B,M) 


iff 


AQ S B 


Correct: 


(A,L)Q L (B,M) 


iff 


traces(L) C traces(M) 



The symbol C s indicates that this relation is based on Safe traces. Similarly C L is based on 
Live traces. All implementation relations are clearly preorders. 

2.1.4 Substitutivity 

An important property of the model is that it allows a modular approach to systems specification 
and verification. If, for instance, a system S is made up of several parallel components, it is 
possible to implement separately each component of S and yet obtain an implementation of S . 
This is usually referred to as the substitutivity of the implementation relations with respect to 
the parallel composition operator. Similar results exist for the other two operators as stated in 
the following proposition. 

Proposition 2.16 (Substitutivity) 

Let (Ai,Li),(Bi,Mi), i = 1,...,N, be live I/O automata with in(Ai) = in(Bi) and out(Ai) = 
out(Bi), and let C x be one relation among C s and C L . If, for each i, (Ai,Li) C x (_Bj,M 8 ), 
then 

1. if (Ai, Li), . . ., (A N , L N ) are compatible and (_B l5 Mi), . . . , (B N , M N ) are compatible then 

(A U L 1 )\\---\\(A N ,L N )\Z X (B U M 1 )\\---\\(B N ,M N ). 

2. if A C local(Ai) and A C local(Bi) then 
{AuLJXAQxiBuMJXA 

3. if p is a mapping applicable to both A x and B x then 
pdAuL^QxpdBuM,)) 



Note, in Part 1 of the proposition, that even though (Ai, Li), . . . , (A N , L N ) are compatible, then 
the specifications (_B l5 Mi), . . . , (B N , M N ) are not compatible if they contain internal actions 
that collide with already existing actions of other components. Thus, we must require that also 
(Bi, Mi), . . . , (B N , M N ) be compatible. However, in practice the problem is usually solved by 
choosing brand new names for new internal actions in an implementation. Similar considerations 
apply to Parts 2 and 3. 
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2.2 The Model for Timed Systems 

The timed model, called live timed I/O automata, is very similar to the untimed model in that it 
consists of an automaton part (safe timed I/O automaton) and a liveness condition. Each state 
of the safe timed I/O automaton has an associated time, returned by the mapping .now, and a 
certain time-passage action v representing the passage of time. The steps of a safe timed I/O 
automaton are restricted such that time-passage steps must increase time and all other steps 
must not change time. Thus, all other steps than time-passage steps are thought of as occurring 
instantaneously. There are a few other restrictions representing natural properties of time. 

2.2.1 Safe Timed I/O Automata 

Times are specified using a dense time domain T = R-°, i.e., the set of non-negative reals. 

Definition 2.17 (Safe timed I/O automata) 

A safe timed I/O automaton A consists of five components 

• A set states(A) of states. 

• A nonempty set start (A) of start states (start (A) C states(A)). 

• A mapping .now A : states(A) — ► T (called .now when A is clear from context), indicating 
the current time in a given state. 

• An action signature sig(A) = (in(A), out (A), int(A)) of disjoint sets of input, output, and 
internal actions, respectively. Denote by ext(A) the set in(A) U out(A) U {//} of external 
actions, where v is a special time-passage action, by vis(A) the set in(A)Uout(A) of visible 
actions, by local(A) the set out(A) U int(A) of locally-controlled actions, and by acts(A) 
the set ext(A) U int(A) of actions. 

• A transition relation steps(A) C states(A) X acts(A) X states(A). 
A must be input-enabled and satisfy the following five axioms 

51 If s G start(A) then s.now = 0. 

52 If (s,a,s r ) G steps(A) and o/v, then s' .now = s.now. 

53 If (s,v,s r ) G steps(A) then s' .now > s.now. 

54 If (s,v,s r ) G steps(A) and (s 1 ,v,s") G steps(A), then (s,v,s") G steps(A). 

To be able to state the last axiom, the following auxiliary definition is needed. Let / be an 
interval of T. Then a function uj : / — ► states(A) is an A-trajectory, sometimes called trajectory 
when A is clear from context, if 

1. tjj(t).now = t for all t £ I, and 

2. (uj(t),v,uj(t')) G steps(A) for all t,t' e I with t < t' . 
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That is, uj assigns to each time t in the interval / a state having the given time t as its now 
component. The assignment is done in such a way that time-passage steps can span between any 
pair of states in the range of a;. Denote inf(I) and sup(T) by ftime(uj) and Itime(uj), respectively. 
If /is left closed, then denote uj(ftime(uj)) by fstate(uj). Similarly, if /is right closed, then denote 
uj(ltime(uj)) by Istate(uj). If / is closed, then uj is said to be an A-trajectory from fstate(uj) to 
Istate(uj). An A-trajectory uj whose domain dom(uj) is a singleton set [t,t] is also denoted by 
the set {uj(t)}. 

The final axiom then becomes 

S5 If (s,z/, s') G steps(A) then there exists an A-trajectory from s to s' . 



Axiom SI states that time must be in any start state. Axiom S2 says that non-time-passage 
steps occur instantaneously, at a single point in time. In this framework, operations with some 
duration in time are modeled by a start action and an end action. Axiom S3 says that time- 
passage steps cause time to increase. Axiom S4 gives a natural property of time, namely that if 
time can pass in two steps, then it can also pass in a single step. Finally, Axiom S5 says that if 
time can pass from time t to time t' , then it is possible to associate states with all times in the 
interval in a consistent way. This axiom opens the possibility of specifying hybrid systems, i.e., 
systems where the state can change coutinuously when time passes. However, in the systems we 
will look at in this work the states consists of a "basic" state and a now variable, and the basic 
state does not change during time-passage. 

2.2.1.1 Timed Executions 

The notions of executions and traces and operations on these carry over from the untimed 
setting. However, executions do not adequately capture the behavior of a system since they do 
not tell us what states the system goes through during time-passage. For this reason a notion 
of timed executions is introduced. 

A timed execution fragment X of a safe timed I/O automaton A is a (finite or infinite) sequence 
of alternating A-trajectories and actions in vis(A) U int(A), starting in a trajectory and, if the 
sequence is finite, ending in a trajectory 

X = tjj aitjJia 2 tjJ2 • • • 
such that the following holds for each index i: 

1. If LOi is not the last trajectory in X, then its domain is a closed interval. If uji is the last 
trajectory of X (when X is a finite sequence), then its domain is a left-closed interval (and 
either open or closed to the right). 

2. If LOi is n °t the last trajectory of X, then (lstate(uji),a i+ i,fstate(uj i+ i)) G steps(A). 

A timed execution is a timed execution fragment uj aiUJia 2 ijJ2 • • • f° r which fstate(uj ) is a start 
state. 

If S is a timed execution fragment, then define ftime(T,) and fstate(T,) to be ftime(uj ) and 
fstate(uj ), respectively, where uj is the first trajectory of S. Also, define ltime(T,) to be the 
supremum of the union of the domains of the trajectories of S. Finally, if S is a finite sequence 
where the domain of the last trajectory uj is a closed interval, define lstate(T,) to be Istate(uj). 
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2.2.1.2 Finite, Admissible, and Zeno Timed Executions 

The timed executions and timed execution fragments of a safe timed I/O automaton can be 
partitioned into finite, admissible, and Zeno timed executions and timed execution fragments. 

A timed execution (fragment) S is defined to be finite, if it is a finite sequence and the domain 
of the last trajectory is closed. A timed execution (fragment) S is admissible if ltime(T,) = oo. 
Finally, a timed execution (fragment) S is Zeno if it is neither finite nor admissible. 

There are basically two types of Zeno timed executions: those containing infinitely many 
occurrences of non-time-passing actions but for which there is a finite upper bound on the times 
in the domains of the trajectories, and those containing finitely many occurrences of non-time- 
passing actions and for which the domain of the last state set is right-open. Thus, Zeno timed 
executions represent executions of a safe timed I/O automaton where an infinite amount of 
activity occurs in a bounded period of time. (For the second type of Zeno timed executions, the 
infinitely many time-passage steps needed to span the right-open interval should be thought of 
a the "infinite amount of activity".) 

There are idealized processes that natually exhibit Zeno behaviors. As an example consider 
a ball which is bouncing on the floor and is losing a fraction of its energy at each bounce. Ideally 
the ball will bounce infinitely many times within a finite amount of time. Note, however, that 
the safe timed I/O automaton model cannot suitably model this process since there is no way 
of specifying what happens after the ball stops bouncing. On the other hand, Zeno behaviors 
will not occur in the computer systems we usually want to specify. 

Below we will be mostly interested in the admissible timed executions since they correspond 
to our intuition that time is a force beyond our control that happens to approach infinity. 

Denote by t-frag*(A), t-frag™ (A) , t-frag (A), and t-frag(A) the sets of finite, admissible, 
Zeno, and all timed execution fragments of A. Similarly, denote by t-exec*(A), t- exec 00 (A), 
t-exec z (A), and t-exec(A) the sets of finite, admissible, Zeno, and all timed executions of A. 

A finite timed execution fragment Si = oj aiOJi ■ ■ -a n u n of A and a timed execution fragment 
S 2 = Stjj' n a n+ itjj n+ ia n+2 ijj n+ 2 ■ ■ ■ of A can be concateneted if lstate(T,i) = fstate(T, 2 ). The con- 
catenation, written Si ~ S 2 , is defined to be S = oj aiOJi ■ ■ ■ a n (uj n ~ u' n )a n+ iU n+ ia n+ 2U n +2 • • •, 
where (u ~ u/) is defined to be uj(t) if t is in dom(uj), and oj'(t) if t is in dom(uj')\dom(uj) . It is 
easy to see that S is a timed execution fragment of A. 

The notion of timed prefix, called t-prefix, for timed execution fragments is defined as follows. 
A timed execution fragment Si of A is a t-prefix of a timed execution fragment S 2 of A, written 
Si <t S 2 , if either Si = S 2 or Si is finite and there exists a timed execution fragment S' : of A 
such that S 2 = Si " S' r Likewise, Si is a t-suffix of S 2 if there exists a finite timed execution 
fragment S' : such that S 2 = S' : ~ Si. 

Define S o t, read "S before £", for all t > ftime(T,), to be the t-prefix of S that includes 
exactly all states with times not bigger than t. 

Likewise, define Sot, read "S after £", for all t < ltime(T,) or all t < ltime(T,) when S is 
finite, to be the t-suffix of S that includes exactly all states with times not smaller than t. 

2.2.1.3 Timed Traces 

In the untimed setting automata are compared based on their traces. This turns out to be 
inadequate in the timed setting because traces do not capture the invisible nature of time- 
passage actions and furthermore do not contain information about the time of occurrence of the 
visible actions. For this reason a notion of timed traces is introduced. We first define the notion 
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of timed sequence. 

A timed sequence over a set K is defined to be a (finite or infinite) sequence 8 over K X T in 
which the second components (the time components) are nondecreasing. Define 8 to be Zeno if 
it is infinite and the limit of the time components is finite. For any nonempty timed sequence 
8, define ftime(8) to be the time component of the first pair in 8. 

Now, let X = tjj aitjJia 2 tjJ2 • • • be a timed execution fragment of a safe timed I/O automaton 
A. For each a,, define the time of occurrence i, to be ltime(Lo i _ 1 ), or equivalently, ftime(uji). 
Then, define t-seq(T,) to be the timed sequence consisting of the actions in X paired with their 
time of occurrence: 

t-seq(Y,) = {a 1 ,t 1 )(a 2 ,t 2 ) ■ ■ ■ 

Then t-trace(T,), the timed trace of X, is defined to be the pair 

t-traceAY.) = (t-seq(E) \ (vis(A) xT),ltime(E)) 

Thus, t-trace(T,) records the occurrences of visible actions together with their time of occurrence, 
and the limit time of the timed execution fragment. The timed trace suppresses both internal 
and time-passage actions. 

Let t-traces* (A) , t-traces x '(A) , t-traces z (A) , and t-traces(A) denote the sets of timed traces 
of A obtained from finite, admissible, Zeno, and all timed executions of A, respectively. 

2.2.1.4 Operations on Safe Timed I/O Automata 

As in the untimed setting, there are three operators defined on safe (timed) I/O automata. These 
are parallel composition, action hiding, and action renaming. The definitions are similar to the 
ones in the untimed setting except that special care has to be taken concerning the handling of 
time. For instance, in the parallel composition, all components must agree on real time. 

Definition 2.18 (Parallel composition) 

Safe timed I/O automata A x , ■ ■ . , A N are compatible if for all I < i, j ' < N with i ^ j 

1. out(Ai) n out(Aj) = 

2. int(Ai) n acts(Aj) = 

The parallel composition Ai\\ ■ ■ ■ \\A N of compatible safe timed I/O automata A x , ■ ■ ■ , A N is the 
safe timed I/O automaton A such that 

1. states(A) = {(si, . . . , s N ) £ states(Ai) X • • • X states(A N ) \ Si.now Al = • • • = s N .now AN } 

2. start (A) = start(Ai) X • • • X start{A N ) 

3. (si, . . . , s N ).now A = s 1 .now Al (= s 2 .now A2 = • • • = s N .now AN ) 

4. out(A) = out(A 1 ) U • • • U out(A N ) 

5. in(A) = (m(Ai) U • • • U in(A N )) \ out {A) 

6. int(A) = mf(Ai) U • • • U int(A N ) 



20 2. The Model 

7. ((si, • • • , s N ), a, (s[, . . . , s' N )) G steps(A) iff for all 1 < i < N 

(a) if a G acts(Ai) then (s 8 ,a,s') G steps(Ai) 

(b) if a ^ ac£s(Aj) then s, = s'- 



Note, how Condition 7 of the definition captures both time-passage steps (where all components 
participate) and other steps (where a subset of the components participate). 

Just like (ordinary) execution fragments can be projected to components in a composed 
system, it is possible to define projection on timed execution fragments. If X = cj ai^ia2^2 • • • 
is a timed execution fragment of a safe timed I/O automaton A = Ai|| ■ ■ ■ \\A N , define £|"A; to 
be the timed execution fragment of A, obtained by first projecting each state in the range of 
each trajectory to A,, and then, for each action cij ^ acts(Ai), removing cij and merging the two 
(projected) trajectories to the left and right of cij. (Thus, if none of the actions belongs to A,, 
the result is one big trajectory representing time-passage of A,.) 

Action hiding and action renaming for safe timed I/O automata can also be defined. 

Definition 2.19 (Action hiding) 

Let A be a safe timed I/O automaton and let A be a set of actions such that A C local(A). 
Then define A \ A to be the safe timed I/O automaton such that 

1. states(A \ A) = states(A) 

2. start{A \ A) = start(A) 

3. .now A \j( = .now A 

4. in(A \ A) = in(A) 

5. out(A\A) = out (A) \ A 

6. int(A \ A) = int(A) U A 

7. steps(A \ A) = steps(A) 



Definition 2.20 (Action renaming) 

A mapping p from actions to actions is applicable to a safe timed I/O automaton A if it is 
injective, acts(A) C dom(p), and p(v) = v. Given a safe timed I/O automaton and a mapping 
p applicable to A, define p(A) to be the safe timed I/O automaton with 

1. states(p(A)) = states(A) 

2. start(p(A)) = start(A) 

3. .now p ( A ^ = .now a 

4. in(p(A)) = p(in(A)) 

5. out(p(A)) = p(out(A)) 
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6. int(p(A)) = p(int(A)) 

7. steps(p(A)) = {(s,p(a),s r ) | (s,a, s') £ steps(A)} 



2.2.2 Live Timed I/O Automata 

In the untimed setting a liveness condition for a safe I/O automaton A is a subset of the 
executions of A such that a special environment-freedom condition is satisfied. Similarly, in the 
timed setting a liveness condition for a safe timed I/O automaton is a set of timed executions 
such that a special timed version of the environment-freedom condition is satisfied. 

As in the untimed setting the environment-freedom condition is stated in terms of a game 
between the system and its environment. 

The notion of strategy is similar to the one used for the untimed case. However, the presence 
of time has a strong impact on the kind of interactions that can occur between an automaton 
and its environment. 

In the untimed case the environment is allowed to provide any finite number of input actions 
at each move, whereas the system is allowed to perform at most one of its locally-controlled 
steps at each move. In this way it is taken into account that the environment can be arbitrarily 
fast with respect to a system, however, not infinitely fast. In the timed case there is no need 
to assume the environment to be arbitrarily fast because each action occurs at a specific time. 
Therefore, the relative speeds of the system and the environment are given by their timing 
constraints. As a consequence the moves of the environment in the timed setting are input 
actions associated with their time of occurrence. Thus, the behavior of the environment during 
the game can be represented as a timed sequence over input actions. 

If a strategy in the timed setting decides to let time pass, it has to specify explicitly all 
intermediate states since the system must be able to respond to possible inputs during such 
a time-passage phase. Remember, that in our model it is generally not possible to deduce 
deterministically states at intermediate times given a time-passage step. 

Definition 2.21 (Strategy) 

Consider any safe timed I/O automaton A. A strategy defined on A is a pair of functions (g,f) 
where g : t-exec* (A) X in(A) —^ states(A) and / : t-exec* (A) —^ (traj(A) X local(A) X states(A))U 
traj(A), where traj(A) denotes the set of A-trajectories, such that 

1. g(Yi,a) = s implies Ea{s} £ t-exec* (A) 

2. /(£) = (uj, a, s) implies E"wa{s} £ t-exec* (A) 

3. /(E) = uj implies E ~ uj £ t-exec°°(A) 

4. / is consistent, i.e., if /(S) = (u,a,s), then, for each t, ftime(uj) < t < Itime(uj), /(E ~ 
(uj o t)) = (wo t,a,s), and, if /(S) = u, then, for each t, ftime(uj) < t < Itime(uj), 
/(S ~ (uj o t)) = ujot. 



For notational convenience define f(T,).trj 



oj if /(E) = (u,a,s) 
uj if /(S) = uj 
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A strategy is a pair of function (g, /). Function / takes a finite timed execution and decides how 
the system behaves till its next locally-controlled action under the assumption that no input are 
received in the meantime, whereas function g decides what state to reach whenever some input 
is received. Condition 1 states that g returns a "legal" next state given the input. Conditions 
2 and 3 give two possibilities for the system moves given by /: either / specifies time-passage 
followed by a local step, or / specifies that the system simply lets time pass forever. Note, that 
/ specifies all states during time passage. This is because, as mentioned above and as we shall 
see formally below, a move given by / might be interrupted by input actions, and in that case 
it is necessary to know the current state when the inputs arrive. The consistency condition 
(Condition 4) for / says that, whenever after a finite timed execution X the system decides to 
behave according to uja{s} or uj, after performing a part of uj the system would decide to behave 
according to the rest of the step uja{s} or uj. The consistency condition is fundamental for the 
substitutivity results below. 

The game between the system and the environment works as follows. The environment can 
provide any input at any time, while the system lets time pass and provides locally-controlled 
actions according to its strategy. If an input arrives, the system will perform its current step 
till the time at which the input occurs, and then use function g to compute the state to reach 
after the input has occurred. 

In the timed setting the system might decide to perform a step at the same time at which 
the environment provides some input. Such situations are modeled as nondeterministic choices. 
As a consequence, the outcome, i.e., the result of the game, for a timed strategy is a set of timed 
executions. 

Definition 2.22 (Outcome of a strategy) 

Let A be a safe timed I/O automaton and (g,f) a strategy defined on A. Define a timed 
environment sequence for A to be a timed sequence over in(A), and define a timed environ- 
ment sequence X for A to be compatible with a timed execution fragment X of A if either X is 
empty, or X is finite and ltime(T,) < ftime(X). Then define R( g j), the next-relation induced by 
(g,f), as follows: for any £,£' £ t-exec(A) and any X,X' compatible with £,£', respectively, 
((E,I),(E',I'))GiE(,, /) ifF 

(X ~ uja{s},X) where X is finite, X = e, /(£) = (uj, a, s), 

(X ~ UJ,X) where X is finite, X = e, /(£) = uj, 

(X ~ uja{s},X) where X is finite, X = (b,t)X" , /(£) = (uj, a, s), 
'£',T') = { Itime(io) < t, 

(S ~ u'a{s'},I") where S is finite, I = (a,i)I", f(T,).trj = uj, 

Itime(uj) > t, uj' = uj ot, g(T, ~ uj', a) = s' , or 

(S,I) where S is not finite. 

Let S be a finite timed execution of A, and I be a timed environment sequence for A compatible 
with S. 

An outcome sequence of (g,f) given S an<i I is an infinite sequence (S n ,I n ) n>0 that satisfies: 



• 



E°,I°) = (E,I) and 
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• for all n > 0, ((S"" 1 ,!"" 1 ), (S n ,I n )) G R (g jy 
Note, that (S n ) n>0 forms a chain ordered by t-prefix. 

The outcome (9( 3 j)(X,Z) of the strategy (g,f) given X and X is the set of timed executions 
£' for which there exists an outcome sequence (X n ,Z n ) n>0 of (g,f) given X and X such that 
£' = Um„^ 00 E". 



In the definition of outcome of a strategy (g,f), the next-relation R( g j) determines allowable 
moves based on incoming inputs or performance of locally-controlled actions. In this way the 
outcome sequences of (g,f) given some X and X are determined step by step. 

In the definition of R( g j), the first, second, and third cases deal with different situations 
where no input occurs during the system move chosen by /; the fourth case, instead, takes care 
of new incoming inputs; finally, the fifth case of the above definition is needed for technical 
reasons to generate a fixpoint in the outcome sequences since the second case generates an 
admissible timed execution. Note, that the third and fourth cases might both be applicable 
whenever an input occurs exactly at the same time at which the system decides to perform a 
locally-controlled action. This is the reason for which the outcome is a set of timed executions. 

Assume that the liveness condition for a safe timed I/O automaton could consist of Zeno timed 
executions only. If another safe timed I/O automaton has a liveness condition consisting of 
admissible timed executions, both of these systems could never work properly when composed 
in parallel since the first system would keep time from passing beyond some bound, which could 
never yield live timed execitions of the second system. (Remember that all components in a 
parallel composition have to agree on real time.) 

In this model this problem is solved by restricting attention to admissible timed executions 
since these timed executions correspond to our intuition that time grows unboundedly. Thus, in 
a live timed I/O automaton a liveness condition is a nonempty subset of the admissible timed 
executions. 

However, a problem arises as illustrated by the following example, which is due to Lamport: 
Consider two almost identical safe timed I/O automata with the following characteristics. They 
both have one input action and one output action, and if they receive an input before 12 o'clock 
they will issue an output after exactly half the time between the input was received and 12 
o'clock. Otherwise no output will be issued. To break the symmetry, one of the safe timed 
I/O automata will unconditionally issue an output some time before 12 o'clock. Both of these 
safe timed I/O automata have a nonempty set of admissible timed executions, so adopt these 
sets to be the liveness conditions of the safe timed I/O automata, respectively. Now, compose 
these systems in parallel by connecting the output of one system to the input of the other, 
and vice versa. Then the resulting system has no admissible timed executions but only Zeno 
timed executions where time is constrained from passing beyond 12 o'clock. Seen from any of 
the components the other component prevents time from passing, and none of the components 
will behave properly in the parallel composition. Thus, the parallel composition would not be 
an element of the model (since it has no admissible timed executions), which contradicts the 
requirement that the parallel composition operator be closed for live timed I/O automata. 

The problem illustrated in the example arises because the two components collaborate on 
performing the Zeno timed executions. To solve the problem, systems that can collaborate in 
this fashion need to be excluded from the model. We do this by identifying a special class of 
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Zeno timed executions, the Zeno-tolerant timed executions. A Zeno-tolerant timed execution is 
a Zeno timed execution containing infinitely many input actions but only finitely many locally- 
controlled actions. We denote by t-exec zt (A) the set of Zeno-tolerant timed executions of a safe 
time I/O automaton A. 

The Zeno-tolerant timed executions represent Zeno behaviors that are exclusively due to a 
Zeno environment. Thus, there is no collaboration between system and environment. This gives 
rise to a notion of Zeno-tolerant strategy. 

Definition 2.23 (Zeno-tolerant strategy) 

A strategy (g,f) defined on a safe timed I/O automaton A is said to be Zeno-tolerant if, for 
every finite timed execution X G t-exec* (A) and every timed environment sequence X for A 
compatible with S, (gJ) (^,X) C t-exec°°(A) U t-exec zt (A). 



Thus, any Zeno timed execution in an outcome of a Zeno-tolerant strategy is Zeno-tolerant and 
thus represents a behavior that is Zeno only because of Zeno inputs from the environment. Note, 
that in the Lamport example above it is not possible to find a Zeno-tolerant strategy defined on 
any of the two components: if one component behaves in a Zeno fashion, the other component 
will collaborate, and the resulting outcome cannot contain Zeno-tolerant timed executions. 
We are now ready to present the timed definition of environment-freedom. 

Definition 2.24 (Environment-freedom) 

A pair (A, L), where A is a safe timed I/O automaton and L C t-exec(A), is environment-free iff 
there exists a Zeno-tolerant strategy (g, /) defined on A such that for each finite timed execution 
X of A and each timed environment sequence X for A compatible with X, (9( 3 j)(S,I) C L. The 
pair (g,f) is called an environment-free strategy for (A,L). 



A pair (A, L) is environment-free if, after any finite timed execution and with any (Zeno or non- 
Zeno) sequence of input actions, it can behave according to some admissible or Zeno-tolerant 
timed execution in A. 

This leads to the definition of live timed I/O automata, where the liveness condition con- 
tains only admissible timed executions, but where the strategy is allowed to yield Zeno-tolerant 
outcomes when given a Zeno timed environment sequence. 

Definition 2.25 (Live timed I/O automata) 

A live timed I/O automaton is a pair (A,L), where A is a safe timed I/O automaton and 
L C t-exec co (A), such that the pair (A, L U t-exec zt (A)) is environment-free. 



2.2.2.1 Operations on Live Timed I/O Automata 

The parallel composition, action hiding, and action renaming operators defined for safe timed 
I/O automata are now extended to live timed I/O automata in a fashion similar to the way the 
operators were extended in the untimed setting. 
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Definition 2.26 (Parallel composition of live timed I/O automata) 

Live timed I/O automata (A l7 Li), . . . , (A N , L N ) are compatible iff the safe timed I/O automata 
A l7 . . . , Ajv are compatible. 

The parallel composition (A l7 Li)\\ ■ ■ ■ ||(Ajv, L N ) of compatible live timed I/O automata 
(Ai, ii), . . ., (Ajv, £jv) is defined to be the pair (A, L) where A = Ai|| • • • \\A N and i = {S G 
i-ezec""^) | S[Ai G £i,...,£[Ajv G ijv}. 



Definition 2.27 (Action hiding of live timed I/O automata) 

Let (A, L) be a live timed I/O automaton and let A be a set of actions such that A C local(A). 
Then define (A, i) \ A to be the pair (A \ A, £). 



Definition 2.28 (Action renaming of live timed I/O automata) 

A mapping p from actions to actions is applicable to a live timed I/O automaton (A, £) if it 
is applicable to A. Let X be a timed execution of (A, £). Define p(£) to be the sequence that 
results from replacing each occurrence of every action a in S by p(a). Given a live timed I/O 
automaton and a mapping /> applicable to (A,i), define p((A, £)) to be the pair (p(A),p(L)). 



As expected the three operators above are closed for live timed I/O automata in the sense that 
they produce a new live timed I/O automaton. This is a consequence of the environment-freedom 
property. 

Lemma 2.29 (Closure of timed parallel composition) 

Let (Ai, Li), . . . , (Ajv, L n ) be compatible live timed I/O automata. Then the parallel composition 
(Ai, Li)\\ . . . || (Ajv, L n ) is a live timed I/O automaton. 



Lemma 2.30 (Closure of action hiding) 

Let (A, L) be a live timed I/O automaton and let A C local(A). Then (A, L)\A is a live timed 
I/O automaton. 



Lemma 2.31 (Closure of action renaming) 

Let (A,L) be a live timed I/O automaton and let p be a mapping applicable to (A,L). Then 
p((A,L)) is a live timed I/O automaton. 



2.2.3 Correctness 

In the timed setting the safe and correct implementation relations are based on timed traces. 



26 2. The Model 

Definition 2.32 (Timed implementation relations) 

Given two live timed I/O automata (A,L) and (B,M) such that in(A) = in(B) and out(A) = 
out(B), define the following implementation relations: 

Safe: A C st B iff t-traces(A) C t-traces(B) 

Safe: (A,L) Q st (B,M) iff A Q st B 

Correct: (A,L) \Z U (B,M) iff t-traces(L) C t-traces(M) 

■ 

2.2.4 Substitutivity 

The timed model, like the untimed model, offers a modular approach to systems specification 
and verification as stated by the following substitutivity results. 

Proposition 2.33 (Substitutivity) 

Let (Ai,Li),(Bi,Mi), i = 1,...,N, be live timed I/O automata with in(Ai) = in(Bi) and 
out(Ai) = out(Bi), and let C x be one relation among C st and C Lt . If, for each i, (Ai,Li) C x 
(Bi,Mi), then 

1. if (Ai, Li), . . . , (A N , L N ) are compatible and (_B l5 Mi), . . ., (B N , M N ) are compatible then 
(A u ii)|| • • • \\(A N ,L N ) Q x (B u Mi)|| • • • \\(B N ,M N ). 

2. if A C local(Ai) and A C local(Bi) then 
{AuLJXAQxiBuMJXA 

3. if p is a mapping applicable to both A x and B x then 
pdAuL^QxpdBuM,)) 



2.3 Embedding Results 

The untimed model is used to specify systems where the actual amount of time that passes 
between actions is considered unimportant. Many problems in distributed computing can be 
stated and solved using this model. However, it is not possible to state anything about, e.g., 
response times. It is implicitly assumed that the final implementation on a physical machine is 
"fast enough" for practical usage. 

An untimed system can be thought of as a timed system that allows arbitrary time-passage, 
as long as possible liveness restrictions are satisfied. This indicates that our timed model is, in 
some sense, more general than our untimed model, and that we could use the timed model for 
all purposes. However, the timed model is more complicated than the untimed model due to 
the time-passage action, the .now component, etc., and furthermore it does not seem natural to 
have to deal with time, when the problem to be solved does not mention time at all. 

Thus, it is preferable to work within the untimed model as much as possible and only switch to 
the timed model when it is needed. The work in this report shows how the untimed specification 
(of the at-most-once message delivery problem) is implemented by a system that assumes upper 
time bounds on certain process steps and channel delays. Figure 2.1 depicts such a stepwise 
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SPEC 



> Untimed 



> Timed 



IMPL 



Figure 2.1 

A stepwise development from an untimed specification to a timed implementation. 



development. The question is of course what it means to implement an untimed specification 
by a timed implementation. Our approach is to convert the untimed levels to the timed model 
by applying an operator, called patient, that adds arbitrary time-passage steps as mentioned 
above. We then have an Embedding Theorem which states that if a concrete level implements an 
abstract level in the untimed model, then the patient version of the concrete level implements 
the patient version of the abstract level in the timed model, and vice versa. Thus, the first part 
of the stepwise development of Figure 2.1 can be carried out entirely in the simpler untimed 
model, and the last part in the timed model. In the intermediate development step which goes 
from untimed to timed, one must prove that the timed level implements the patient version of 
the untimed level. The embedding lemma can then be applied to show that the implementation 
IMPL implements the patient version of the specification SPEC. 
We start by defining a patient safe I/O automaton. 

Definition 2.34 (Patient safe I/O automaton) 

Let A be a safe I/O automaton where v ^ acts(A). Then define patient(A) to be the safe timed 
I/O automaton with 

• states(patient(A)) = states(A) X T 

If s = (s',t) is a state of patient(A), we let s. basic denote s' . 

• start(patient(A)) = start(A) X {0} 

• .now paUent(A) (s,t) = t 

• ext(patient(A)) = ext(A) U {//} 

• in(patient(A)) = in(A) 
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• out(patient(A)) = out (A) 

• int(patient(A)) = int(A) 

• steps(patient(A)) consists of the steps 

- {((s,t),a,(s',t)) | (s,a,s') £ steps(A)} 

- {((s,t),u,(s,f))\f>t} 



In order to state what it means to apply the patient operator to a live I/O automaton, we need 
the following auxiliary definition of what it means to untime a timed execution: Let A be a safe 
I/O automaton with v ^ acts(A) and let X = cj ai^ia2^2 • • • be a timed execution of patient(A). 
Then define 

untime(Yi) = (fstate(uj ) .basic)ai(fstate(uji) .6as«c)a 2 (/state (cj 2 ) .basic) ■ ■ ■ 

Similarly, let 7 = ((<2i, ti)(a 2 , t 2 ) ■ ■ ■ , t) be a timed trace of patient(A). Then define 

untime(j) = a^a^ ■ ■ ■ 

The notion of a patient live I/O automaton can now be defined. For any live I/O automaton 
(A, L), the patient live I/O automaton of (A, L) should be the live timed I/O automaton whose 
safety part is patient(A) and whose liveness part consists of all those admissible executions that, 
when being made untimed, are live according to L. Thus, the liveness condition of the patient 
live I/O automaton allows time to pass arbitrarily, as long as the liveness prescribed by L is 
satisfied. 

Definition 2.35 (Patient live I/O automaton) 

Let (A,L) be a live I/O automaton with v ^ acts(A). Then, define patient A (L) = {S £ 
t-exec°° (patient(A)) \ untime(T,) £ L} and define patient(A,L), the patient live I/O automaton 
of (A,L), to be the pair ( patient( A), patient A (L)). 



It can be proved that for any live I/O automaton (A,L), patient(A, L) is a live timed I/O 
automaton. 

Lemma 2.36 

Let (A, L) be a live I/O automaton. Then patient(A, L) is a live timed I/O automaton. 



We now state the Embedding Theorem, thus that the safe and correct implementation relations 
for live I/O automata coincide with the safe and correct implementation relations for the patient 
versions of the live I/O automata. 

Theorem 2.37 (Embedding Theorem) 

Let (A,L) and (B,M) be live I/O automata with v ^ (acts(A) U acts(B)). Then 
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1. (A,L) C s (B,M) iff patient(A, L) C st patient(B,M). 

2. (A,L) C L (B,M) iff patient(A, L) C Lt patient(B,M). 



Finally we state a result which is important when doing specification and verification in a 
modular fashion. Namely, the patient operator commutes with the three operators on safe and 
live (timed) I/O automata. First, let = st and = Lt denote the kernels of the preorders C st and 
C Lt , respectively. 3 

Proposition 2.38 

Let (A,L) and (Ai,Li), . . ., (A N ,L N ) be live I/O automata and let = x be one of = st and = Lt . 

1. Let (Ai, L\ ),..., (A N , L N ) be compatible. Then, 

patient((Ai, Li)\\ ■ ■ ■ \\(A N , L N )) = x patient(Ai, Li)\\ ■ ■ ■ \\patient(A N , L N ) 

2. Let A C local(A). Then, 

patient ((A, L) \ A) =x patient(A, L)\A 

3. Let p be an action mapping applicable to A and let p v be p U \y >-+ v\ . Then, 
patient(p(A, L)) = x p v (patient(A, L)) 



This concludes the introduction to the basic models of untimed and timed systems that we will 
use in this work. 



The kernel of a preorder C is defined to be the equivalence = defined by x = y = iCjAt/Ci. 



Chapter 3 

A Temporal Logic with Step 
Formulas 



Chapter 2 defined the models of distributed systems we use in this work. One component of the 
models is the liveness condition which is a set of (timed) executions. Since such sets may be 
infinite (and each execution in the set may be an infinite sequence), it is necessary to have some 
way of denoting them without explicitly having to write down any executions. For this purpose 
we shall use a temporal logic which will be able to express properties of (ordinary) executions of 
safe (timed) I/O automata. Exactly how this temporal logic is used to specify liveness conditions 
for timed and untimed systems will be one of the issues of Chapter 4. This chapter is devoted 
to defining the temporal logic. 

In [MP92], Manna and Pnueli develop a temporal logic and give several examples of its use. 
For two reasons we cannot use their temporal logic directly. First, Manna and Pnueli evaluate 
temporal formulas over sequences of states and not over sequences of alternating states and 
actions. Second, they only deal with infinite sequences of states whereas (even live) executions 
of our systems may be finite. In a section below we show, however, how our temporal logic is 
related to that of [MP92]. 

The first reason suggests that maybe Lamport's Temporal Logic of Actions (TLA) [Lam91] 
could be used. However, TLA is still state based in the sense that the semantics of a TLA 
formula is a set of sequences of states. Actions are in TLA merely state changes. It is possible 
that by having special TLA variables ranging over action names we could use TLA. However, 
due to the inherent importance of actions in our approach, we chose to develop our own temporal 
logic dealing with actions in a more intuitive manner. 

The rest of this chapter is organized as follows: In order to be able to state and prove results in 
this and later chapters, we start by introducing notions of stuttering and stuttering- equivalence 
in Section 3.1. Sections 3.2-3.4 then introduce the basic building blocks of our temporal logic: 
first, in Section 3.2, we introduce the notion of state functions and the special notion of state 
predicates . Section 3.3 then describes the notion of state transition functions, which are state 
functions that are evaluated over pairs of states. Finally, in Section 3.4, we introduce the 
important notion of step formulas . A step formula is a boolean valued function which is evaluated 
over steps. Thus, step formulas can express properties of both the states and the action of a 
step. 

Sections 3.5 and 3.6 now introduce the formulas of our temporal logic, i.e., the temporal 

31 



32 3. A Temporal Logic with Step Formulas 



formulas, by first, in Section 3.5, giving some basic temporal operators and then, in Section 3.6, 
denning some important derived operators. In Section 3.7 we see how temporal formulas can be 
seen as formulas over safe (timed) I/O automata, and Section 3.8 deals with satisfaction and 
validity as well as validity with respect to safe (timed) I/O automata or sets of executions. 

Sections 3.9 and 3.10 provide results, mainly about special stuttering-insensitive formulas, 
which will prove very important in the next chapter. 

Then, in Section 3.11 we compare out temporal logic with that of Manna and Pnueli [MP92]. 
Finally, in order for our temporal logic to be useful for proving correctness of the protocols in 
the second part of this report, Section 3.12 provides certain rules of the logic. We do not in this 
work attempt to develop a completely axiomatized temporal logic, but merely state the rules we 
have found useful. Further research should investigate a basic set of rules of our temporal logic. 

Even though, strictly speaking, executions are only defined with respect to specific automata, 
we will in this chapter use the term "execution" to denote any alternating sequence of states 
and actions. As usual we let a range over executions. 

3.1 Stuttering 

For technical reasons which will become clear below, we introduce a notion of stuttering steps 
and stuttering- equivalence of executions. 

Denote by ( a special stuttering action. We will assume that ( cannot be used as an ordinary 
action of any safe (timed) I/O automaton. Below we will let A denote an arbitrary set of actions 
and, hence, it will always be the case that ( ^ A. A stuttering step is any triple of the form 
(s,(,s), where s is a state. 

Since ( can never be an action of a safe (timed) I/O automaton A, it can never occur in 
any execution of A. However, we will allow stuttering steps to occur in the more broad sense of 
executions used in this chapter. As we shall see below, we will not be able in temporal formulas 
to refer to the stuttering actions in executions, but it turns out to be important to be able to 
evaluate temporal formulas over executions possibly containing stuttering. 

Define \a. to be the execution obtained by replacing every maximal (finite or infinite) sequence 
s(s(s ■ ■ ■ in a by the single state s. Thus, the t] operator removes all stuttering. Now, define 
two executions a-y and a 2 to be stuttering- equivalent , written a-y ~ a 2 , if \a.\ = t]a 2 . 

For any execution a = s ais 1 a 2 s 2 • • • define 

^ A la if a is infinite 

1 s aiS!a 2 s 2 • • • a n s n (s n (s n • • • if a is finite and ends in s n 

Thus, if a is finite, a is the infinite execution obtained by concatenating infinite stuttering at 
the end of a. Clearly, a ~ a. 

3.2 States, State Functions, and State Predicates 

In Chapter 2 we defined the state space of a safe (timed) I/O automaton to be any set of 
individual states. We did not assume any structure of these states but merely assumed that 
states are names. In practical examples, especially those presented in this work, the state space 
will be described as a mapping from state variables to their values. Thus, a safe (timed) I/O 
automaton is assumed to contain a number of (typed) state variables, and the individual states 
are then distinguished by having different assignments of values to these state variables. For this 
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reason the temporal logic defined below will reference states using variable names. This approach 
is also used in [MP92, Lam91]. Below we will let V denote a set of variables. Furthermore, in 
order to avoid the complexity of carrying around the types of the variables, we assume that the 
type of a variable is given implicitly by the name of the variable. For example, i, j and k will 
typically range over the natural numbers. 

We assume that we have a language for writing state functions — using variables, constants, 
standard operators, boolean connectives, and quantification — that can be evaluated over states. 
We will not give a language for writing down state functions since such languages are fairly 
standard. We refer to, e.g., [MP92] for a more thorough treatment of state functions. 

A state function over V is a state function whose free variables are a subset of V. If / is 
a state function over V, then clearly / is also a state function over V U V, where V is any set 
of variables. For any state function / over V and any V-state s (i.e., any assignment of proper 
values to ah variables in V), we let s[/] denote the value of / in state s. 

A state predicate over V is a boolean valued state function over V. Below we shall see that state 
predicates are a special case of a more general notion of step formula. 

3.3 State Transition Functions 

A state transition function f over V is a state function over VU V°, where V° is the set obtained 
by tagging each variable in V with °. State transition functions over V are evaluated over pairs 
(s,s') of V-states. The variables in V refer to state variables in s and variables in V° refer to 
the corresponding state variables in s' . Formally, the value of a state transition function / over 
V in a pair s,s' of V-states, written (s,s')[/J, is defined as 

(s,s')m = (su[x o »s'(x)\xev])m 

Action Functions and State Transition Predicates 

An action function f over (V,A) is a state transition function over V that yields a subset of 
the actions in A when evaluated in any pair of V-states. Note, that the stuttering action ( can 
never be in the range of an action function. 

A state transition predicate P over V is any boolean valued state transition function over V. 

3.4 Step Formulas 

A step formula over (V, A) is a formula that can be evaluated over triples (s, a, s'), where s and 
s' are V-states and a £ AD {(}, i.e., step formulas are evaluated over (possibly stuttering) steps. 
There are two kinds of step formulas: those based on action functions and those based on 
state transition predicates. We consider these two possibilities and in each case we define what 
it means for a step formula P to hold in (s, a, s'), written (s, a, s') \= P. 

If / is an action function over (V,A), then (/) is a step formula over (V,A), and we define 

(s,a,s')\=(f) iff ae(s,s')lf] 
Since ( can never be in the range of /, the step formula (/) can never hold in a stuttering step. 
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A state transition predicate P over V is also a step formula over (V,A), where A is an arbitrary 
set of actions, and we define 

0, a, s') \= P iff 0, s'){P] = true 

3.4.1 State Predicates 

A state predicate P over V can now be seen as a special case of a step formula, namely a state 
transition predicate over V that does not mention any variables in V°. Thus, consistent with 
the normal semantics of state predicates, we define what it means for a state predicate P over 
V to hold in a V-state s, written s \= P, 

s\=P iff (s,s){Pj = true 

When defining temporal formulas below, we deal with step formulas and thereby also state 
predicates. 

3.5 Temporal Formulas 

An execution a = s ais 1 a 2 s 2 • • • over (V,A) is an execution where each s, is a V-state and each 
di G A U {(} such that if a, = ( then s 8 -_i = s,. (Thus, stuttering actions can only occur in 
executions if they are part of stuttering steps.) Below we define the notion of temporal formulas 
P over (V, A), and what it means for such a formula to hold at position j £ N in an execution a 
over (V,A), written (ot,j) \= P. (If a is finite, it is thought of as being extended with stuttering 
such that we can also define what it means for P to hold at positions j > \a\.) 

A temporal formula over (V, A) contains only free variables in V and can only mention actions 
in A. Thus, a temporal formula over (V,A) is also a temporal formula over (V U V,A U A'), 
where V is any set of variables and A' is any set of actions. 

Let a = s ais 1 a 2 s 2 • • • below. 

Step Formulas 

Any step formula P over (V,A) is also a temporal formula over (V,A) and we have, 

(a,j) \= P iff (0 < j < \a\ and (sj, <2j +1 , Sj +1 ) |= P) or 
(j > \a\ and (s H ,C,S|a|) |= P) 

Thus, for all positions j in a (except the last one if a is finite), P has to hold for the step 
starting in state Sj. If a is finite and j is greater than or equal to the last position in a, P has 
to hold for the step that stutters the last state. 

The Next Operator 

If P is a temporal formula over (V,A), then so is O P-i rea d next P. 
{a,j)\=QP iff (a,j+l)\=P 
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The Unless ( Waiting-for) Operator 

If P and Q are temporal formulas over (V, A), then so is P W Q, read P unless (or waiting-for) 

Q. 

(a,j) \= P W Q iff either there exists a k > j, such that (a, k) \= Q, 

and for every i with j < i < k, (a, i) \= P, 
or else for all i with i > j, (a, i) \= P 

Quantification 

If P is a temporal formula over (V,A), then (\/x : P) and (3a; : P) are temporal formulas over 
(V\{x},A). 

For any V-state s denote by s x , where v is assumed to be in the type of the variable x, the 
(V U {a;})-state obtained from s by either, if x G V, changing the value of x in s to v, or, if 
x £ V, extending s with a mapping from x to f . Thus, s x v = (s\ {x}) U [x >-+ v]. For any 
execution a = s ais 1 a 2 s 2 • • • over (V, A), let a x v denote the execution (so)« a i( s i)« a 2( s 2)« • • • over 
(V U {x},A). With this definition, we can define the semantics of universal quantification. 

(a,j) \=\/x : P iff for all values v, (a x ,j) \= P 

Thus, P must, for arbitrary (proper) values v, hold for the execution where x is assigned the value 
v in every state. This is in [MP92] and [Lam91] known as quantification over rigid variables since 
the variable has a constant value during the execution. In [MP92] and [Lam91] quantification 
over a program variable x allows x to vary during the execution. We do not consider that kind 
of quantification in this work. 

Existential quantification is defined in a similar fashion. 

(a,j) \= 3x : P iff there exists a value v such that (a x ,j) \= P 

Boolean Operators 

We give the standard definition of implication and negation. The remaning boolean operators 
will be derived from these below. 

If P and Q are temporal formulas over (V,A), then so is P ==?■ Q, and we have 
(a,j) \= (P ==?■ Q) iff (a,j) \= P implies that (ot,j) \= Q 

If P is a temporal formula over (V,A), then so is ->P, and we have 

(a,j)\=^P iff (a,j)^P 

Since we allow boolean operators in both state functions and temporal formulas, there might 
be an ambiguity as to how such boolean operators should be interpreted in a given temporal 
formula. For example, R = Q)(x = 1 ==?■ y = 2) can be regarded as obtained by A) applying 
the next operator to the step formula (x = 1 =^ y = 2), or B) first applying the temporal 
implies operator to the two step formulas x = 1 and y = 2, and then applying the next operator 
to the result. It turns out that either interpretation leads to the same result as to whether the 
formula holds at a certain position in an execution. However, to avoid confusion we adopt the 
convention that step formulas in temporal formulas are always "as large as possible", thus, we 
consider R in the example to be produced as described in case A). 
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3.6 More Temporal Formulas 

The rest of the temporal operators can be described syntactically from W, =>■ and -i. Below 
we assume that P and Q are temporal formulas over (V,A). The formulas we define are then 
also temporal formulas over (V,A). 

More Boolean Operators 

Disjunction and conjunction are defined in the standard way. 
P\/Q ± (_,p) = ^g 

P/\Q = -((-P)v(-Q)) 

The Inclusive Unless Operator 

The W operator defined above requires a formula P to hold forever or, if another formula Q 
holds at some point, at least up to but not necessarily including the point where Q starts to 
holds. Often we need to express that P also holds in the state where Q starts to hold. For this 
reason we introduce the inclusive unless operator Wi defined as 

PW t Q = PW(PAQ) 

The Always Operator 

To express that a formula holds forever, we define DP, read always P. 
OP = PW false 

The Eventually Operator 

To express that sooner or later a temporal formula holds, we define OP, read eventually P. 
OP ± --n(-iP) 

The (Inclusive) Until Operator 

The unless operator expresses that a temporal formula P holds at least until another temporal 
formula Q starts to hold, but it does not require that Q eventually holds. (If Q does not hold 
eventually, P should hold forever). To express that Q is required to hold eventually, we define 
P U Q, read P until Q . 

PUQ = (OQ)A(PWQ) 

There is also an inclusive version of the until operator. 

PU t Q = (OQ)A(PWiQ) 

The Leads-To Operator 

The leads-to operator is an important temporal operator which expresses that during an execu- 
tion, if P holds at some point, then Q will hold at a later (or the same) point. Thus, P ~~» Q, 
read P leads to Q, is defined as 

P^Q ± n(P^(OQ)) 
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3.6.1 Precedence 

To avoid excessive use of parentheses, we use the following convention regarding the precedence 
(binding power) of the temporal operators. The operators in the group 

° o - 

have equal precedence but higher precedence than the operators 

A V 
which, in turn, have equal precedence but higher precedence than the operators 

=> W Wi U Hi ~> 
which have equal precedence. 

3.7 Functions and Temporal Formulas over Automata 

For any safe (timed) I/O automata A whose state space is defined by state variables, denote 
by variables(A) the set of state variables of A. We say that / is a state function or state 
transition function over A if / is a state function or state transition function over variables(A), 
respectively. Similarly, / is said to be an action function over A if it is an action function over 
(variables(A), acts(A)). This notion trivially extends to step formulas and temporal formulas. 

3.8 Satisfaction and Validity 

An execution a over (V,A) is said to satisfy a temporal formula P over (V,A), written a \= P, 
if and only if P holds at position of a, thus 

a \= P iff (a,0)\=P 

A temporal formula P over (V,A) is said to be valid, written |= P, if every execution a over 
(V,A) satisfies P, thus 

|= P iff for all a over (V, A), a \= P 

We also introduce a notion of validity relative to a set E of executions over (V,A). A temporal 
formula P over (V,A) is then E -valid, written E \= P, if every execution of E satisfies P, thus 

E \= P iff for all a G E, a \= P 

This notion extends to A-validity, where A is a safe (timed) I/O automaton. Then, for any 
temporal formula P over A, P is said to be A-valid, written A \= P, if every execution of A 
satisfies P, thus 

A \= P iff for all a G exec(A), a \= P 
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3.9 Finite vs. Infinite Executions 

Above a has ranged over infinite as well as finite executions. In this section we prove that the 
question whether a temporal formula P holds at position j in execution a is equivalent to the 
question whether P holds at position j in a. This result is, of course, due to the semantics of 
step formulas which has a special case dealing with stuttering steps. 

Lemma 3.1 

Let P be a temporal formula over (V,A). Then, for all executions a over (V,A) and all j > 0, 
(a,j)\=P iff (a,j)\=p 

Proof 

In Appendix B. 



3.10 Stuttering-Insensitive Temporal Formulas 

A temporal formula P over (V,A) is stuttering-insensitive if, for arbitrary executions a x and 
a 2 over (V,A) with a x — a 2 , «i |= P if and only if a 2 \= P. Thus, if P is stuttering-insensitive 
and holds for a, it holds for all executions that can be obtained from a by adding or removing 
stuttering. 

Below, in Proposition 3.4, we prove that certain types of temporal formulas are stuttering- 
insensitive. However, first we need two technical lemmas. 

Lemma 3.2 

Let P be a temporal formula over (V,A) and a = s ais 1 a 2 s 2 ■ ■ ■ an arbitrary infinite execution 
over (V,A). Then, for all j > and all i < j 

(a,j)\=P iff G_,-|a,i)|=P 

Proof 

In Appendix B. 



Lemma 3.3 

Let a and a' be infinite executions such that a ~ a' . Then, for all k > 0, there exists a k' > 
such that 

1. k \a ~ k i\a' 

2. for all < i' < k' , there exists an i with < i < k such that i\a ~ j/|a' 

Proof 

In Appendix B. 
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We can now characterize certain temporal formulas which are stuttering-insensitive. State pred- 
icates are always stuttering-insensitive. This is because stuttering-equivalent executions will 
always start in the same state. General state transition predicates are not, however, stuttering- 
insensitive in general. This is due to the fact that stuttering-equivalent executions do not neces- 
sarily agree on the first step. All state transition predicates that hold in all stuttering steps are, 
however, stuttering-insensitive. Also, step formulas of the form (/) are not stuttering-insensitive, 
but O(f) is. 

For the temporal operators, formulas of the form O P are n °t stuttering-insensitive in gen- 
eral. Assume for instance that a x = s ais 1 a 2 s 2 • • • and a x = SoC s o a i s i a 2 s 2 • • •• Then a x — a 2 . 
Assume that (cii,j) |= P only if j = 1. Then a x |= P but a 2 \£ P. Thus, Q> P is not stuttering- 
insensitive. However, all other temporal operators yield stuttering-insensitive temporal formulas 
when applied to stuttering-insensitive formulas. 

Proposition 3.4 

1. Every state predicate P is stuttering-insensitive. 

2. If P is a state transition predicate such that for all states s, (s,(,s) \= P, then P is 
stuttering-insensitive. 

3. If f is an action function, then 0(/) is stuttering-insensitive. 
4- If P and Q are stuttering-insensitive, then 

(a) PWQ, 

(b) Mx : P, 

(c) 3x : P, 

(d) -iP, and 

(e) P^Q 

are all stuttering-insensitive. 

Proof 

In Appendix B. 



3.11 Comparison with Manna and Pnueli's Temporal Logic 

The temporal logic of Manna and Pnueli [MP92] is state based in the sense that temporal for- 
mulas are evaluated over sequences of states, i.e., with no actions interleaved. These sequences 
(computations) must be infinite; terminating computations are made infinite by appending in- 
finite stuttering at the end. 

As Lemma 3.1 indicates we could also have chosen to deal with infinite executions only: any 
temporal formula in our temporal logic is satisfied by a finite execution a if and only if the 
temporal formula is satisfied by the infinite execution obtained by appending infinite stuttering 
at the end of a. This indicates that the use of infinite computations only in [MP92] as opposed 
to our use of both finite and infinite executions is not an important difference between the two 
logics. 
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The real difference lies in the important role of actions in our logic. We need to be able to 
express properties of the actions occurring in executions. However, as the following discussion 
indicates, several results of [MP92] carry over to our logic. 

Consider any (infinite) execution 

a = s ais 1 a 2 s 2 • • • 
This execution can be encoded as the following state based computation: 

a = (s ,a 1 ,s 1 )(s 1 ,a 2 ,s 2 ) ■ ■ ■ 
Thus, each state of a is a triple. Specifically, states of a are assignments of the form: 
[ xi ^ v x , 

X n I > v n , 
act i— ► a, 

x\ H^ v[ , 



where the variable assignments to Xi,...,x n represent the first state in a triple, the special 
variable act holds the action of the triple, and the variable assignments to x[, . . . , x' n represent 
the last state in the triple. 

Now, any valid temporal formula of [MP92] holds, in particular, for computations, where 
each state has the form (s,a, s') such that the last state of each triple coincides with the first 
pair of the next triple. Thus, valid formulas of [MP92] hold specifically for all computations 
that are encodings of our executions. 

In order for such validity results of [MP92] to carry over to our temporal logic, it is important 
that the operators of [MP92] that we also use have a similar semantics in the two temporal logics, 
but this is easy to see. In fact, we have been guided by the temporal logic of [MP92] when defining 
the semantics of our temporal operators. 

Note, that since our notion of execution in the encoding into computations is more restrictive 
than general computations, validities in our logic do not carry over to the temporal logic of 
[MP92]. 

3.12 Rules and Meta Rules 

Temporal logics, or any logic for that matter, usually contain inference rules which allow validities 
to be inferred from other validities. This is however not the way we shall use our temporal logic 
in the verification examples in this work. Typically, we are given a particular execution a which 
satisfies a temporal formula P and then have to show that a satisfies another temporal formula 
Q. Thus, our proofs will be proofs of satisfaction as opposed to proofs of validity. 

So, for our purpose inference rules are not very useful. Instead we shall use rules of the form 
of valid implications. 

Such a rule (together with the definition of implication) allows us to conclude a \= Q from 
a \= P. 
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We now present the rules that we use in our correctness proofs below. We do not present simple 
rule like, e.g., manipulation of Boolean operators or rules like 

Par: |= (DP) =»► P 

but implicitly use such rules in our proofs. An approach like TLA [Lam91] has invested a lot of 
effort in finding rules that are typically used when proving systems correct. Such an investigation 
still needs to be done for our temporal logic. Thus, we present the rules we have found a need 
for in the particular examples presented in this work and leave the more general investigation 
for further research. We do not prove that the rules are actually validities but we note that 
this should follow easily from an encoding into the temporal logic of [MP92] as described in 
Section 3.11. In the rules we let P(k) denote a formula with k free. Then, e.g., P(0) is the 
formula obtained from P{k) by replacing all free occurrences of k with 0. 

MP: |= (((A A . . . A P k ) =^ Q) A A A • • • A P k ) =^ Q 

MP1: \=(a(P^Q) AOP)^OQ 

Prol: |= (V& : 3k' : (k > k' A P(k)) ~> P{k')) =*► OP(0) 

Pro2: |= (D(P ^(QW R)) A (aQ =»► OS) A ((Q A5)^ Rj) => (P ~> R) 

Ind: |= ((P(0) -> Q) A Vk : (k > => 3k' : (k' < k A (P(k) -> P(k') V Q)))) => 

Vn: (P(n)^Q) 

Unl: |= (D(P =^ -,g) A (P VW,- Q)) =J^ DP 

Unll: |= (D(P =»► (Q Wi R)) A (ng =?► OS)) => a(P =»► (OP V DOS')) 

The rules allow us to prove that a given execution satisfies a formula, provided it satisfies another 
formula. We shall be using other rules, called meta rules, which cannot be stated as validities. 
For instance, if a \= DP and a' is a suffix of a, then a' \= DP. Again, we present the meta rules 
we have found useful in our particular examples, and leave an investigation of a "complete" set 
of meta rules as well as proofs of our meta rules for further research. We note, however, that 
many of the meta rules can be proved using Lemma 3.2. 

Lemma 3.5 

1. If a \= OP and a' is a suffix of a, then a' \= DP. 

2. If, for all suffixes a' of a, a' \= P, then a \= DP. 

3. If a \= OP, then there exists a suffix a' of a such that a' \= P. 
4- If there exists a suffix a' of a and a' \= P, then a \= OP. 

5. If, for any proper constant v, a \= P(v), then a \= \/k : P(k). 

6. If a \=\/k : P, then, for any proper constant v, a \= P(v). 

7. If, for some proper constant v, a \= P(v), then a \= 3k : P(k). 

8. If a \= 3k : P(k), then there exists a proper constant v such that a \= P(v). 



Since, in our proofs below, we shall use the different parts of Lemma 3.5 extensively, sometimes 
we use several parts at once and then simply refer to the lemma and not the particular parts. 
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This concludes the introduction to our temporal logic. The temporal logic is especially designed 
so that formulas are evaluated over executions of safe (timed) I/O automata. This allows us 
to use the temporal logic to specify liveness conditions of live (timed) I/O automata and use 
the rules of the temporal logic in correctness proofs. Exactly how we use the temporal logic for 
specifying liveness conditions is one of the issues of the next chapter. 



Chapter 4 



Specifying Systems 



Chapter 2 introduced our basic models of timed and untimed systems. The models are entirely 
semantic: they describe the operational meaning of a system, that is, how a system behaves 
when executed. 

A live I/O automaton consists of mathematical objects like sets and lists. However, these 
sets and lists may be infinite, which indicates that a direct enumeration is not feasible. Thus, we 
need a language or some syntax, other than standard mathematical notation, for writing down 
elements of our models. This chapter describes the syntax we use. 

Furthermore, we describe how the effect of semantic operators (like parallel composition) is 
reflected in the syntax. For instance, we shall use the language of the temporal logic of Chapter 3 
for specifying liveness conditions. We then show, e.g., that under certain circumstances if the 
liveness of two systems are described by temporal formulas Q A and Q B , respectively, then the 
liveness of the composed system is described by Q A A Qb- This is important since it enables us 
to obtain a syntactic specification of the composed system directly from the specification of the 
component systems. 

The rest of this chapter is organized as follows. We first, in Section 4.1, deal with untimed 
systems and then, in Section 4.2, show how timed systems can be specified. Finally Section 4.3 
proves important embedding results. 

4.1 Specifying Untimed Systems 

4.1.1 Safe I/O Automata 

Safe I/O automata will be specified using the precondition- effect style normally used for speci- 
fying the I/O automata of [LT87, LT89]. 

This style assumes that the state space of the safe I/O automaton is described as a mapping 
from state variable names to their values. Thus, the state space of a safe I/O automaton will 
be described by listing the state variable names together with their types. The start states of 
a safe I/O automaton are then specified by giving the possible values the state variables can 
assume initially. 

As an example, consider the specification of a one-place buffer with the following functions: 
a message m can be placed in the buffer by the input action send(m) and removed from the 
buffer by the output action receiver (m) . (The environment is thought of as sending messages 
to the buffer and receiving them from the buffer.) If a new message is sent to the buffer before 
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the previous message is passed on to the receiver, a special overflow flag is set, which leads to 
an output action overflow. Initially the buffer is empty and the overflow flag is not set. Thus, 
the state space and start state of this safe I/O automaton is described as: 



Variable 


Type 


Initially 


Description 


buf 


Msg U {_L} 


_L 


The one-place buffer. The symbol _L denotes the 
empty buffer. 


of 


Bool 


false 


The overflow flag. A value of true denotes 
overflow. 



We denote by variables(A) the set of state variables of the safe I/O automaton A. We use the 
normal record-notation for referencing the values of state variables in a given state. For instance, 
the value of state variable buf in state s is denoted by s.buf. Formally, since s is a mapping 
from variables to values, we have s.buf = s(buf). 

The action signature of the one-place buffer is described as follows: 

Input: 

send(m), m £ Msg 
Output: 

receive(m), m £ Msg 

overflow 
Internal: 



Thus, even though there might be infinitely many actions (Msg might be infinite), we use 
only finitely many action generator functions to describe these actions. (The action generator 
functions are assumed to be disjoint and their union to be injective). 

It now only remains to show how to define the transition relation. Generally, for each action 
generator function we define one or more step rules. For example, in the case of the action 
generator function send above we might want to define two step rules based on some partition 
of the messages Msg into Msg 1 and Msg 2 . Then one step rule would define steps labeled with 
actions from {send(m) \ m £ Msg^, and the other would define steps labeled with actions from 
{send(m) \ m £ Msg 2 }. The sets Msg l and Msg 2 could even be overlapping, in which case we 
introduce nondeterminism of the send steps. A step rule has the form 

agf(x,y, ...) 
Precondition: 

P 
Effect: 

E 

where agf is an action generator function over the variables x, y, etc., P is a precondition, and 
E is an effect clause. 

The precondition P is a state predicate over the state variables of the system and the variables 
x, y, etc.. A particular action, say agf(l, 2, . . .), is then enabled in state s, if P holds in s after 
replacing free occurrences of x with 1, free occurrences of y with 2, and so on. 

The effect clause E uses a Pascal-like style of assignments. Thus, the effect clause consists 
of a list of assignments (one per line) of the form 

v := e 
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where v is a state variable and e is an expression (state function) — of the same type as v — over 
the state variables and the variables x, y, etc.. Again, for a particular action agf (1,2, . . .) we 
must replace free occurrences of a; with 1, free occurrences oiy with 2, and so on, in the expression 
e. If e' denotes this instantiated expression, then if s is the state before the assignment, the 
result of executing the assignment is the state s' obtained by changing the value of v to s[e']. 
Thus, s' = (s\ {v}) U[iih s[e']]. The result of executing a list of assignments 

assignment l 

assignment n 

is obtained by first executing assignment-^, then assignment 2 , and so on. Thus, the state will be 
changed in an sequential manner, but remember that this is just a convenient way of describing 
the post-state of the step, namely the state after the last assignment. In TLA [Lam91] the 
effects of steps are given by directly relating the values of the individual state variables in the 
pre- and post-states, but we have chosen this more program-like notation. 

To make some assignments conditional we use an if-then-else construct. An example of such 
a construct is, 

if P then 

assignment l 

assignment 2 
else 

assignment^ 

assignment^ 

where P is a state predicate. The semantics is of course that if P holds when control has reached 
the if-statement, then assignments 1 and 2 are executed (in that order); otherwise assignments 
3 and 4 are executed. Note, that we use indentation to indicate the end of the if-then-else 
construct. This means that 

if P then 

assignment l 

assignment 2 
else 

assignment^ 
assignment^ 

is different from the previous if-then-else construct in that this construct first executes either 
assignments 1 and 2 or assignment 3 depending on the value of P, and then, unconditionally, 
executes assignment 4. We omit the else part of an if-then-else construct if it contains no 
assignments. 

The format of the effect-clause described so far does not allow nondeterminism for a particular 
action. To specify such nondeterminism we will use optional assignments of the form 

optionally x := e 

with the meaning that nondeterministically either the assignment is or is not executed. 

We could have been more formal in defining the syntax and semantics of assignments, etc., 
but since such syntax and semantics are standard, we have chosen to keep the exposition at a 
more intuitive level. 
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Finally, we note that step rules may contain variables which are not state variables or vari- 
ables occurring in action generator functions. Such variables can be thought of as constants, 
and we then effectively defines a step rule for each proper value of the constant. An example is 
the following step rule, where n is such an extra variable. 

agf{x,y, ...) 
Precondition: 

... A < n < 10 
Effect: 



Safe I/O automata must be input-enabled (cf. Definition 2.1). This is ensured by omitting the 
preconditions for input actions. This has the same meaning as a precondition of true. The 
definition of the transition relation for the one-place buffer now looks like: 

send(m) receive(m) 

Effect: Precondition: 

if buf ^ _L then buf = m 

of := true Effect: 

buf := m buf : = _L 

overflow 

Precondition: 

of = true 
Effect: 

of := false 

An operational way to read such a definition is as follows. The definition for send(m) says that 
if the buffer receives a new message m when buf is not empty, the overflow bif of is set. After 
that the new message is placed in buf (and a possible previous message will thus be overwritten). 
The one-place buffer can perform a receive(m) step if m is the message in the buffer. The result 
is to empty the buffer. Finally, overflow can be signaled if the overflow flag of is set, and the 
result is that of gets reset to false. 

4.1.1.1 Operations on Safe I/O Automata 

In Section 2.1.1 we defined the three operators (parallel composition, action hiding, and action 
renaming) on safe I/O automata. Below we explain how the safe I/O automata resulting from 
applying these operators can be described using syntax derived from the description of the safe 
I/O automata to which the operators were applied. 

We start by considering parallel composition of safe I/O automata. In Definition 2.2, which 
defines parallel composition, we defined a notion of compatibility for safe I/O automata. This 
notion deals with guaranteeing that each action in a composed system be controlled by at most 
one component and that internal actions be unique. Definition 2.2 also says that the state space 
of a composed system is the cartesian product of the component state spaces. This means that 
if we want to reference the value of a certain state variable of one component, we first have to 
extract the state of the component from the total state. This becomes even more cumbersome 
if several levels of parallel composition are used. In order to avoid dealing with these not very 
interesting details of extracting component states of component states, etc., we will extend the 
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notion of compatibility to also include the requirement that the sets of state variables of the 
component systems be disjoint. In this way a state s of the composed system can be uniquely 
described by an assignment of values to the total set of state variables in the system such that 
the value of any state variable x in s agrees with the value of x in the state of the component 
to which x belongs. (More precisely, such a "flat" assignment of values to state variables is 
isomorphic to the state define by the parallel composition operator in Chapter 2.) Thus, if s 8 - 
describes the state of the ith component as a mapping from state variables of this component 
to their values, the state of the composed system is described by the mapping Si U • • • U s N . 

Thus, below we shall use the following definition of compatibility (cf. Definition 2.2): Safe 
I/O automata Ai, . . . , A N are syntactically compatible if for all 1 < i, j ' < N with i ^ j 

1. out(Ai) n out(Aj) = 

2. int(Ai) n acts(Aj) = 

3. variables(Ai) n variables(Aj) = 0. 

Note that the first two conditions have not changed. Below we let "compatibility" refer to 
"syntactical compatibility". 

This notion of compatibility trivially extends to live I/O automata (cf. Definition 2.9). A 
consequence of this way of looking at the state space of a composed system is that for compat- 
ible safe I/O automata Ai, . . . , A N , the set of state variables of A = Ai\\ ■ ■ ■ \\A N is given by 
variables(A) = variables(Ai) U • • • U variables(A N ) . 

Thus, the state variables (together with types and initial values) of a composed system can 
be described by writing the lists of state variables for the components one below the other. In 
a similar fashion it is easy to list the action signature of the composed system. 

The question is, how can the description of the steps of the composed system be derived 
from the description of the steps of the components? Remember, from Definition 2.2, that in 
each step of the composed system several components might participate (each executing state 
changes described locally for the action of that step) whereas all other components do not 
change their state. Also remember, that the action of the step is locally-controlled by at most 
one component. That is, either the action is an input action for all participating components, 
or it is locally-controlled by one component and an input action for the remaining participating 
components. Then, if the step rules for send(m) in three components, one of which controls the 
actions, are described by 

send(m) send(m) send(m) 

Precondition: Effect: Effect: 

Pi E 2 E 3 

Effect: 

Pi 

then the send(m) steps of the composed system can be described by 

send(m) 

Precondition: 

Pi 
Effect: 

Pi 

P 2 

P 3 
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Note, that the order of the three effect clauses is unimportant since Ei, E 2 , and E 3 mention 
disjoint sets of state variables. 

Since the construction of the step rules of the composed system is so simple, we usually omit 
the explicit construction and instead refer to the step rules of the components. 

For action hiding the situation is much simpler (cf. Definition 2.3). If, for instance, A is a 
safe I/O automaton and A is a set of locally-controlled actions of A, the syntactic description 
of A \ A is obtained from the syntactic description of A by simply moving the action generator 
functions describing output actions in A from the list of action generator function describing 
output actions to the list of action generator functions describing internal actions. Of course, 
if only some of the actions described by an action generator function are hidden, the action 
generator function will have to be split. For example, if send-nat(i), where i £ N, is an action 
generator function for output actions of A, and A = {send-nat(i) \ i > 100}, then send-nat(i), 
< i < 99, will be in the listing of output actions of A \ A and send-nat(i), i > 100, will be in 
the listing of internal actions of A \ A. 

Finally, for action renaming we use mappings of the form [send(m) i— ► send-message(m) \ 
m G Msg] U • • •, where, intuitively, each entire action generator function is being renamed. In 
this case each action generator function is simply replaced according to the action mapping in 
the syntactic descriptions of the action signature and the steps. 

In the remainder of this work we shall assume that the syntactic changes to safe (timed) I/O 
automata reflecting semantic operations on these are well understood and concentrate on the 
more interesting aspects of defining liveness. 

4.1.2 Live I/O Automata 

We specify a liveness condition L for a safe I/O automaton A indirectly in terms of a temporal 
formula Q over A in the following way: 

L = {a £ exec(A) \ a \= Q} (4.1) 

That is, the liveness condition L consists of all the executions of A that satisfy a certain temporal 
formula Q. Of course, we have to make sure that what we define is in fact a liveness condition 
for A, i.e., we must make sure that any finite execution of A can be extended to an execution 
in L. We shall refer to any temporal formula Q over A that defines a liveness condition L for 
A as a liveness formula for A. Moreover, we call the liveness formula environment-free for A if 
(A,L) is environment-free and thus is a live I/O automaton. 

Given a liveness formula Q for A, we shall refer to the liveness condition defined by (4.1) as 
the liveness condition for A induced by Q. 

4.1.2.1 Operations on Live I/O Automata 

In Section 2.1.2 we defined the three operators (parallel composition, action hiding, and action 
renaming) on live I/O automata. If our approach with specifying liveness using temporal for- 
mulas should have any practical relevance, it is important that the environment-free liveness 
formulas inducing the liveness conditions for the resulting live I/O automata can be obtained 
directly from the environment-free liveness formulas for the original live I/O automata. 

This section proves that this is the fact given a few restrictions. As always we start by 
the result for parallel composition, which requires three preliminary lemmas the first of which 
embodies the complexity of the proof. 
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To help us state and prove the results below, we first define a notion of restriction of an execution 
over (V,A) to (V',.4'). This notion is not similar to the notion of projection of executions to 
automata as defined in Chapter 2 since it introduces stuttering steps for actions not in A', 
whereas the definition in Chapter 2 simply removes such steps. Below we shall, however, see 
how the two notions are related. 

For any V-state s, s \ V, where V C V, is the V'-state obtained from the mapping s by 
restricting the domain to V. 

Then, for any execution a over (V,A), define a \ (V',.4'), where V C V and A' C A, to 
be the execution over (V',.4') obtained from a by replacing each state s in a with s \ V and 
replacing each action a ^ A' with (. 

Lemma 4.1 

Let P be a temporal formula over (V, A 1 ). Then, for all pairs (V, A) with V'C V and A' C A, 
all executions a over (V,A), and all j > 0, 

(a\(V',A'),j)\=P iff (a,j)\=P 

Proof 

In Appendix B. 



We now give an alternative characterization of the projection operator [ on executions defined 
in Section 2.1.1. For any execution a of a safe I/O automaton Ai|| • • • ||Ajv, define 

a \ Ai = a \ (variables(Ai), acts(Ai)) 

Then a\A, = [](a \ Ai) and clearly we have a\A, ~ a \ A,. 

The following lemma is now a direct consequence of Lemma 4.1. 

Lemma 4.2 

Let Ai, . . . , A N be compatible safe I/O automata and let Qi, . . . , Q N be temporal formulas over 
Ai, . . . ,A N , respectively. Furthermore, let A = Ai\\ ■ ■ ■ \\A N and a £ exec(A). Then, for all 
1 <i < N and all j > 0, 



(a\Ai,j)\=Qi iff (a,j)\=Qi 

Proof 

Since a is an execution over (variables(A), acts(A)) and each Qi is a temporal formula over 
(variables(Ai), acts(Ai)) with variables(Ai) C variables(A) and acts(Ai) C acts(A), the result 
follows directly from Lemma 4.1 and the definition of a \ Ai. 



Lemma 4.3 

Let Ai, . . . ,A N be compatible safe I/O automata and let Qi, ■ ■ -,Qn be stuttering-insensitive 
temporal formulas over Ai, . . -,A N , respectively. Let A = Ai\\ ■ ■ ■ \\A N and a £ exec(A). Then, 



a\Ai \= Qi and ■ ■ ■ and a\A N \= Q N iff a \= Q x A . . . A Q 



N 



50 4. Specifying Systems 

Proof 

In Appendix B. 

■ 

The following important result for parallel composition can now be proved. 

Proposition 4.4 

Let (Ai, Li), . . . , (A N , L N ) be compatible live I/O automata and let Qi, . . . , Q N be stuttering- 
insensitive temporal formulas over Ai, . . -,A N , respectively, such that each Li is induced by Qi. 
Let (A, L) = (Ai, Li)\\ ■ ■ ■ ||(Ajv, L N ). Then L is induced by Q x A ... A Qn- 

Proof 

In Appendix B. 



It is important to understand the role that stuttering-insensitivity plays in the proposition. In 
the execution of a composed system, each step represents activity in a certain subset of the 
components while all other components do not engage in the step at all. When projecting the 
execution to any component, such steps where the component does not engage (i.e., stuttering 
steps) are simply removed. Thus, when specifying the liveness for a component system (Ai,Li), 
we might write Qi = On(a; = x + 1) and hence specify that in any live execution (of (Ai,Li)) 
there must be an infinite suffix where x is incremented by one at each step. Now, in a live 
execution a of the composed system, even though a\A, satisfies Qi, a itself does not necessarily 
satisfy Qi since steps performed by other components might result in x being incremented only 
in, e.g., every other step (but still, of course, incremented in every step where A, engages). In the 
proposition we solve the problem by simply ruling out Qi since it is not stuttering-insensitive. 
However, in the example we might write the following stuttering-insensitive liveness condition 
which captures the same idea: Q\ = □0(acfo(A J )) A On((ac£s(A;)) ==?■ (x° = x + 1)). Thus, 
Qi describes that there is a suffix, with infinite activity of Ai, such that every time A, engages, 
x is incremented. 

Attention is now turned to the simpler operations of action hiding and action renaming. 

Proposition 4.5 

Let (A,L) be a live I/O automaton such that L is induced by the temporal formula Q for A and 
let A C local(A). Then the liveness condition of (A, L)\A is induced by Q. 

Proof 

In Appendix B. 



Proposition 4.6 

Let (A, L) be a live I/O automaton such that L is induced by the temporal formula Q for A, and 
let p be an action mapping applicable to (A, L). Define p{Q) to be the temporal formula obtained 
by applying p to every action function in Q. Then the liveness condition of p((A,L)) is induced 

byp(Q). 
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Proof 

In Appendix B. 



4.1.2.2 Fairness 

Fairness is a special form of liveness, where the requirement is that each component of the 
system be given fair turns. Fairness is important since it in most cases is environment-free, 
and furthermore fairness is easy to implement on a physical system. Traditionally, two different 
kinds of fairness are considered: weak and strong fairness. 

Weak fairness to a system component or, as we shall phrase it, to the set of actions repre- 
senting this component says that actions from the set cannot be enabled indefinitely without 
being executed infinitely often. Thus, for a safe I/O automaton A and a set C C acts(A), weak 
fairness to C can be expressed as the temporal formula 

WF A {C) = DO(C) V UO ^ enabled A {C) (4.2) 

where enabled A (C) is a state predicate over A that holds in exactly the states of A where an 
action in C is enabled. As usual we omit the subscript A and write WF(C) and enabled(C) 
when A is clear. 

We have in this work found it useful to use a slight variant of weak fairness in which actions 
are only forced to occur if they are enabled indefinitely and a special forcing condition is satisfied 
indefinitely. This can be formalized as 

WF(C,P) = nO(C) V aO^(enabled(C) A P) (4.3) 

where P is a state predicate (the forcing condition). When using this variant of weak fairness, it 
is possible to separate the issues of when actions may occur (are enabled) and when they must 
occur. 

Strong fairness says that actions from a set must be executed infinitely often if actions from 
the set are enabled infinitely often. In other words, we cannot ignore the actions forever if we 
are given infinitely many chances to execute them. 

SF(C) = nO(C) V Oa^enabled(C) (4.4) 

Again, with a forcing condition this looks like 

SF(C,P) = nO(C) V Oa^(enabled(C) A P) (4.5) 

It is easy to see that temporal formulas of the form WF(C), WF(C,P), SF(C), or SF(C,P), 
where C C acts(A) and P is a state predicate over A, are liveness formulas for A. But are they 
environment-free? First of all environment-freedom must require that C consist of only locally- 
controlled actions since otherwise we could be restricting the environment to perform certain 
input actions. This condition turns out to be sufficient for weak fairness to be environment-free. 
However, there is a problem with strong fairness as illustrated by the following example: Let L be 
induced by the strong fairness formula SF(C) for A, where C C local(A). Then, for any infinite 
execution a in L it is the case that if C is enabled in infinitely many states in a, then a contains 
infinitely many actions from C. Now suppose, in the game between system and environment, 
that each environment move consists of two input actions: one that is bound to enable C and 
one that is bound to disable C (thus no g function of a strategy can be defined to avoid that 
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C is enabled between the input actions and disabled afterwards). In this situation no strategy 
function / can be defined that can ever execute an action in C during such a game; in other 
words, every time the system gets a chance to move, it is not possible to execute an action in C 
since C is not enabled. Thus, any strategy defined on A will, when playing against this villainous 
environment, generate an outcome in which C is infinitely often enabled (namely between the 
two input actions of every environment move) but in which only finitely many C actions are 
executed. Thus the outcome is not live and it follows that SF(C) is not environment-free. 

However, strong fairness is environment-free if the safe I/O automaton in question is C- 
persistent, where C C local(A). Define A to be C-persistent if for each state s of A in which C 
is enabled and each step (s, a, s') where a £ in(A), C is enabled in s'. Thus, in any execution of 
A, if C becomes enabled, C will stay enabled at least until a locally-controlled action has been 
executed. 

Lemma 4.7 

Let A be a safe I/O automaton and let Q i} 1 < i < k, be temporal formulas over A of the form 

WF(d), WF(C t ,P t ), SF(Ci), orSF(C t ,P t ), where 

• C\ C local(A), 

• Pi is a state predicate over A, and 

• if Q { = SF(C'i) or Qi = SF(C'i,Pi), then A is C {-persistent. 
Then Qi A ■ ■ ■ A Qk is an environment-free liveness formula for A. 

Proof 

This proof can be carried out similarly to the proof of Lamport and Abadi's Proposition 4 
in [AL92b]. (Note that [GSSL93] argues that Lamport and Abadi's notion of ^-machine- 
realizability is similar to our notion of environment-freedom. Furthermore, ^-invariance is similar 
to our notion of C-persistence.) 



Another important property of the fairness formulas is that they are stuttering-insensitive as 
expressed by the following lemma. 

Lemma 4.8 

Any conjunction of temporal formulas of the form WF(C), WF(C,P), SF(C), and SF(C,P) 
is stuttering-insensitive. 

Proof 

Directly by the definition of the fairness formulas and Proposition 3.4. 



4.2 Specifying Timed Systems 

We now turn attention to timed systems. As above we first describe how to specify safe timed 
I/O automata, and then how to use our temporal logic to specify liveness. 
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4.2.1 Safe Timed I/O Automata 

In this work we use two approaches for specifying safe timed I/O automata: explicit and implicit 
specification. Both approaches describe state spaces using state variables as in the untimed 
setting. The definition of safe timed I/O automata (Definition 2.17) describes that the time can 
be obtained from any state by the .now mapping. Below we assume that 

each safe timed I/O automaton has a special now state variable such that the .now 
mapping simply returns the value of this state variable. 

(We will not be able to see if s.now means the value of the now state variable in state s or the 
result of applying the .now mapping to state s, but since, by definition, both interpretations 
return the same time, this does not give rise to ambiguity.) 

We denote by variables(A) the set of state variables (including now) of the safe timed I/O 
automaton A. With this definition we can extend the definition of compatibility for safe timed 
I/O automata (cf. Definition 2.18) by requiring the state variables of the safe timed I/O automata 
be almost mutually disjoint. (They sets of state variables must only have now in common): Safe 
timed I/O automata Ai, . . . , A N are syntactically compatible if for all 1 < i, j ' < N with i ^ j 

1. out(Ai) n out(Aj) = 

2. int(Ai) n acts(Aj) = 

3. variables(Ai) n variables(Aj) = {now} 

As in the untimed setting we use, for brevity, the term "compatibility" to refer to syntactical 
compatibility. The notion of compatibility trivially extends to live timed I/O automata (cf. 
Definition 2.26). As in the untimed setting we can now characterize the state of a composed 
safe timed I/O automaton A = Ai\\ ■ ■ -\\A N by a "flat" mapping from variables(Ai) U • • • U 
variables(A N ) (i.e., variables(A)) to values such that s is the state of A if s \ variables(Ai) is 
the state the component A,. This characterization is possible since all components must agree 
on real time (cf. Definition 2.18). 

Explicit Specification 

The explicit approach to specifying safe timed I/O automata is similar to our way of specifying 
safe I/O automata: the state space and initial states are specified by a list of typed state 
variables with possible initial values (the now variable must assume the value initially), the 
action signature is specified by using action generator functions to list input, output, and internal 
actions and the special time-passage action is, and the steps are specified using the precondition- 
effect style. 

Some of the state variables will typically be used to keep track of deadlines etc. Also, when 
specifying the steps using this explicit approach, the time-passage steps will have to be specified 
explicitly. The precondition for the time-passage steps will usually state that time is not allowed 
to pass beyond some deadlines representing times by which some other steps must have been 
executed. 

It must be proved that what we specify is in fact a safe timed I/O automaton (cf. Defini- 
tion 2.1). The axioms S1-S3 are easy to ensure: SI is ensured by initializing now to 0, S2 is 
ensured by leaving now unchanged in the step rules for visible and internal actions, and S3 is 
ensured by requiring, in the step rule for is, that time will increase. S4 and S5 are ensured if 
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time-passage steps change the now variable only and, from any time, time-passage steps to any 
future time, possibly less than some deadline, is allowed. 

As in the untimed setting it is easy to construct the syntactic description of a safe time I/O 
automaton from the syntactic description of its components. The only difference compared to 
the untimed setting is constructing the step-rule for v when dealing with the parallel composition 
operator. In this case the preconditions of the step-rules for v have to be combined so that all 
components allow the assignment to the (common) now variable. This turns out not to be a 
problem in practice. 

In some situations it is possible to avoid dealing explicitly with deadlines and time-passing when 
specifying safe timed I/O automata. This approach is described next. 

Implicit Specification 

In [MMT91] and [LA91] alternative models for timed systems are developed. We will refer to 
these models by "MMT-models" derived from the names of the authors of [MMT91]. As shown 
in [GSSL93] the model we use is a generalization of the MMT-models. 

In the MMT-models the locally-controlled actions are partitioned into classes and each class 
has associated with it a lower and upper time bound that represent the maximum and minimum 
delay of the system when executing these actions. 

While these models are sufficient for the specification of many timed distributed systems, 
they are not sufficient for all the examples presented later in this work. However, because the 
MMT-models handle time implicitly, they tend to be easier to understand. 

Instead of developing a theory for MMT-models, we will merely, whenever possible, use the style 
of these models as a convenient way of specifying our safe timed I/O automata. So below we 
define a notion of MM T- specification and show what such a specification denotes in the model 
of safe timed I/O automata. 

Definition 4.9 (MMT-Specification) 

An MM T- specification A MMT is a triple where 

• automaton(A MMT ) is a safe I/O automaton, 

• sets(A MMT ) is a collection C\, . . . , C'k of disjoint sets of locally-controlled actions of the 
safe I/O automaton automaton(A MMT ) , and 

• boundmap(A MMT ) is a mapping that to each C; G sets(A MMT ) associates a lower time 
bound bi(C'i) G T and an upper time bound b u (Ci) G (T \ {0}) U {oo}, such that b u (Ci) > 
b,(Ci). 



We let states(A MMT ), etc., refer to the corresponding components of the underlying safe I/O 
automaton automaton(A MMT ) . 

The intuition behind an MMT-specification is as follows: Let the triple (A, S, b) be an MMT- 
specification. A itself contains no information about time but we will now "execute" it in a world 
that has a notion of real time and now. Suppose during execution that a set C; G S becomes 
enabled at time t. Then b specifies that if C; stays enabled, then an action from C; must be 
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executed in the time interval [t + bi(C'i),t + b u (C'i)]. Thus, the boundmap specifies the time 
interval (relative to t) in which an action from C; must be executed, unless C; becomes enabled 
in the meantime. The same has to hold for C; if it stays enabled after being executed; thus, in 
this case a new legal interval is calculated based on the current time, bi(C'i), and b u (C'i). If C; 
becomes disabled, the timing constraints on C; are removed. 

To encode this idea into the model of safe timed I/O automata, we need to add several state 
variables. For instance we need to add the variable now representing real time, and for each 
of the sets C; we need to add two variables: first (Ci) and last(C'i) to denote the first and last 
(absolute) times at which an action from C; must be executed. In the encoding in our model, 
the first and last variables should then be set to the proper interval when the associated set 
C\ becomes (re-)enabled and reset to "no timing constraints" (i.e., the interval [0,oo]) when 
C\ becomes disabled. Furthermore, actions in C; are only allowed to be executed if real time 
has passed beyond first(C'i). Additional time-passage steps also need to be added. These steps 
should only change now and are not allowed to let time pass beyond any of the last bounds. 
This idea is now formalized. 

Definition 4.10 

Let A MMT be an MMT-specification. Then time(A MMT ) is the safe timed I/O automaton A for 
which 

• each state s of states(A) consists of a state s. basic, which is a state of A MMT , augmented 
with a new state variable now and, for each set C; of sets(A MMT ), two new state variables 
first (C'i) and last (C'i). 



• 



• 



• 



• 



start (A) consists of states s for which s. basic is a start state of A MMT , s.now = 0, and, 
for each set C; of sets(A MMT ), if C; is enabled in s. basic then first (Ci) = bi(C'i) and 
last(C'i) = b u (C'i); otherwise, first (Ci) = and last(C'i) = oo. 

(in(A), out(A), int(A)) = (in(A MMT ), out(A MMT ), int(A MMT )). 

ext(A) = ext(A MMT ) U {//}. 

(s,a,s') G steps(A) iff the following conditions hold: 

1. If a G acts(A MMT ) then 

(a) s' .now = s.now. 

(b) (s. basic, a, s' .basic) G steps(A MMT ). 

(c) For each C; G sets(A MMT ): 

i. If a G C\ then s.first(C'i) < s.now. 
ii. If C\ is enabled in both s. basic and s'. basic, and a G" C\, then s' first(C'i) = 

s.first(C'i) and s' .last(C'i) = s.last(C'i). 
iii. If C\ is enabled in s' .basic and either a G C; or C; is not enabled in s. basic, 

then s' first(C'i) = s' .now + bi(C'i) and s' .last(C'i) = s' .now + b u (C'i). 
iv. If C\ is not enabled in s' .basic then s' first(C'i) = and s' .last(C'i) = oo. 

2. If a = v then 

(a) s' .now > s.now. 

(b) s' .basic = s. basic. 
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(c) s' .now < s' .last(C'i) for all C; G sets(A MMT ). 

(d) s' .first(C'i) = s.first(C'i) and s' .last(C'i) = s.last(C'i) for all d G se£s(A MMT ). 



It is easy to see that time(A MMT ) is in fact a safe timed I/O automaton (cf. Definition 2.17). 
Specifically, axiom SI is ensured since now is initialized to 0, S2 is ensured since, by explicit 
construction, now does not change in steps labeled by visible or internal actions, S3 is ensured 
since time-passage steps are explicitly required to increase time, and finally S4 and S5 are easily 
seen to be ensured since time(A MMT ) from any time allows time-passage to any future time less 
than some deadline (expressed by the last variables) and time-passage steps do not change the 
basic part of the state. 

When using the implicit approach to specifying safe timed I/O automata, we use the 
precondition-effect style of Section 4.1.1 to specify the underlying safe I/O automaton, and 
then use standard notation (cf. Appendix A) to specify the sets of locally-controlled actions 
and the boundmap. Based on the simple way the new variables (now and the first and last 
variables) are manipulated, it is easy to construct an explicit description of time(A MMT ) based 
on the description of A MMT . 

We refer to Chapter 10 for an example of the implicit style of specification. 

4.2.2 Live Timed I/O Automata 

If we were to follow the lines of the untimed section when specifying the liveness condition 
for a safe timed I/O automaton, we should devise some temporal logic in which formulas were 
evaluated over timed executions. However, we take a different approach. The idea is that a 
timed execution can be characterized by a set of (ordinary) executions each of which can be 
thought of as a sampling of the timed execution. Thus, there exists a close relationship between 
timed executions and (ordinary) executions of a safe timed I/O automaton. 

We proceed by defining the notion of sampling. Then we define what constitutes a sampling 
characterization of a liveness condition, show how the operations on live timed I/O automata 
are reflected in the syntax describing the liveness of the live timed I/O automata, and finally 
discuss the notions of weak and strong fairness in the timed setting. 

4.2.2.1 Sampling 

All definitions and lemmas in this section are taken from [GSSL93] and are similar to those of 
[LV93b]. 

Roughly speaking, an (ordinary) execution fragment can be regarded as "sampling" the state 
information in a timed execution fragment at a countable number of points in time. Formally, 
we say that an execution fragment a = s ais 1 a 2 s 2 • • • of A samples a timed execution fragment 
X = tjj bitjJib 2 tjJ2 • • • of A if there is a monotone increasing mapping / : N — ► N such that the 
following conditions are satisfied. 

1. /(0) = 0, 

2. bi = ajd^ for all i > 1, 

3. aj = v for all j not in the range of /, 
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4. For all i > such that u, is not the last trajectory in X, 

(a) Sj G rng(iOi) for all j, f(i) < j < f(i + 1), 

(b) Sjaynow = ftime(uji), and 

(c) s_f(j + i)_i.nou; = Itime(uji). 

5. If a;, is the last trajectory in X, then 

(a) Sj G rng(ui) for all j, /(i) < j, 

(b) Sjaynow = ftime(uji), and 

(c) sup{sj.now | /(i) < j} = Itime(uji). 

In other words, the function / in this definition maps the (indices of) actions in X to corre- 
sponding (indices of) actions in a, in such a way that exactly the non-time-passage actions of a 
are included in the range. Condition 4 is a consistency condition relating the first and last times 
for each non-final trajectory to the times produced by the appropriate steps of a. Condition 5 
gives a similar consistency condition for the first time of the final trajectory (if any); in place of 
the consistency condition for the last time, there is a "cofinality" condition asserting that the 
times grow to the same limit in both executions. 

The following two straightforward lemmas show the relationship between timed execution 
fragments and ordinary execution fragments. 

Lemma 4.11 

Let A be a safe timed I/O automaton. If a £ frag(A), then there is a timed execution fragment 
S G t-frag(A) such that a samples S. 

■ 

Lemma 4.12 

Let A be a safe timed I/O automaton. If S G t-frag(A), then there is an execution fragment 
a G frag(A) such that a samples S. 



Recall that an execution fragment a is finite if it is a finite sequence. Furthermore, in the timed 
setting, an execution fragment a is defined to be admissible if there is no finite upper bound 
on the .now values of the states in a. Finally, an execution fragment is said to be Zeno if it is 
neither finite nor admissible. We denote by exec* (A), exec 00 (A), and exec 2 (A) the sets of finite, 
admissible, and Zeno executions of a safe timed I/O automaton A. 

Lemma 4.13 

If a samples S then 

1. a is finite iff S is finite, 

2. a is admissible iff S is admissible, and 

3. a is Zeno iff S is Zeno. 



58 4. Specifying Systems 



It is possible to give a sensible definition of the timed trace of an ordinary execution fragment 
of a safe timed I/O automaton. Namely, suppose a = s ais 1 a 2 s 2 • • • is an execution fragment of 
a safe timed I/O automaton A. First, define Itime(a) to be the supremum of the .now values of 
all the states in a. Then let 8 be the sequence consisting of the actions in a paired with their 
times of occurrence: 

8 = (a l7 Si.now)(a 2 , s 2 .now) 

Then t-trace(a), the timed trace of a, is defined to be the pair 

t-trace(a) = (8 \ (vis(A) X T), Itime(a)) 

The following lemma shows that the definitions of timed traces for execution fragments and 
timed execution fragments are properly related: 

Lemma 4.14 

If a samples X then t-trace(a) = t-trace(T,) . 



4.2.2.2 Sampling Characterization of Liveness Conditions 

As mentioned above we will characterize liveness conditions for safe timed I/O automata by a 
set of ordinary executions. 

Let A be a safe timed I/O automaton and let L s C exec 00 (A) be a set of admissible (ordinary) 
executions of A. Then L s is said to be a sampling characterization of the set 

L = {X £ t-exec°° (A) | for all a, if a samples X, then a £ LA (4-6) 

That is, L contains all those admissible timed executions of A that have all their samplings in 
L s . We say that L is induced by the sampling characterization L s . Note, that the sampling 
characterization L s may contain "extra" executions that are not samplings of any timed execu- 
tions in the set L induced by L s . (Such an extra execution will be the sampling of some timed 
execution S, but since all samplings of S are not in L s , S is not in L.) If L s coincides with 
the set of all samplings of all timed executions in the set L induced by L s , i.e., if L s does not 
contain any "extra" executions, then L s is said to be minimal. 

If the set L induced by L s is a liveness condition for A, L s is said to be a liveness sampling 
characterization for A. Furthermore, if (A,L) is a live timed I/O automaton, i.e., if (A,L U 
t-exec zt (A)) is environment-free, L s is said to be environment-free for A. 

A liveness sampling characterization for some safe timed I/O automaton A can now be specified 
indirectly in exactly the same way we defined liveness conditions in the untimed setting using 
temporal formulas. Thus, for any temporal formula Q over A we refer to the set 

L s = {ae exec 00 (A) | a \= Q} (4.7) 

as the sampling characterization induced by Q. If L s is a liveness sampling characterization for 
A, Q is referred to as timed liveness formula for A. Furthermore, if L s is environment-free or 
minimal, Q is said to be environment-free or minimal, respectively. Finally, if L is induced by 
L s which, in turn, is induced by Q, we say that L is induced by Q. 
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4.2.2.3 Operations on Live Timed I/O Automata 

As in the untimed setting we now show how the liveness of live timed I/O automata obtained 
as results of the operators (parallel composition, action hiding, and action renaming) is induced 
by temporal formulas derived from the temporal formulas inducing the liveness of the live timed 
I/O automata to which the operators were applied. 

We start by looking at parallel composition and for that we need the following result, which 
expresses the relationship between sampling and projection ([). We state the result without 
proof (except we note that point 3 follows from points 1 and 2). 

Lemma 4.15 

Let Ai, . . .,A N be compatible safe timed I/O automata, A = Ai\\ ■ ■ ■ \\A N , and X G t-exec(A). 
Then, for all 1 < i < N , 

1. if a samples X, then a\A, samples S[~A; 

2. if ai sample £[~A; then there exists an a such that a samples X and a, = a [A;, and 

3. {a\Ai | a samples X} = {a, | a, samples X[~A}- 



Lemmas 4.2 and 4.3 above for safe I/O automata are actually valid for safe timed I/O automata 
as well. We restate the timed version of Lemma 4.3. 

Lemma 4.16 

Let Ai, . . . , A N be compatible safe timed I/O automata and Qi, . . . , Q N be stuttering-insensitive 
temporal formulas over Ai, . . ., A N , respectively. Let A = Ai\\ ■ ■ ■ \\A N and a £ exec(A). Then, 



a\Ai \= Qi and ■ ■ ■ and a\A N \= Q N iff a \= Q x A . . . A Q 



N 



The main result for parallel composition of live timed I/O automata can now be stated and 
proved. 

Proposition 4.17 

Let (Ai, Li), . . ., (Ajv, L N ) be compatible live timed I/O automata and Qi, . . . , Q N be stuttering- 
insensitive temporal formulas over Ai, . . . , A N , respectively, such that each Li is induced by Qi. 
Let (A, L) = (Ai, Li)\\ ■ ■ ■ ||(Ajv, L N ). Then L is induced by Qi A ... A Qjm . 

Proof 

In Appendix B. 



Attention is now turned to the simpler operations of action hiding and action renaming. 
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Proposition 4.18 

Let (A, L) be a live timed I/O automaton such that L is induced by the temporal formula Q for 
A and let A C local(A). Then the liveness condition of (A, L)\A is induced by Q. 

Proof 

In Appendix B. 



Proposition 4.19 

Let (A, L) be a live timed I/O automaton such that L is induced by the temporal formula Q for 
A, and let p be an action mapping applicable to (A,L). Define p{Q) to be the temporal formula 
obtained by applying p to every action function in Q. Then the liveness condition of p((A, L)) 
is induced by p(Q). 

Proof 

In Appendix B. 



4.2.2.4 Fairness 

The fairness formulas (Equations (4.2)-(4.5)) presented in the untimed setting also express fair- 
ness requirements in the timed setting. However, fairness in the timed setting is not necessarily 
environment-free as in the untimed setting. 

The problem is that environment-freedom can be jeopardized because the system may col- 
laborate with the environment to generate non-Zeno-tolerant outcomes, as explained in Sec- 
tion 2.2.2, regardless of the fairness formulas. We do not investigate further if weak and strong 
fairness are environment-free for certain classes of safe timed I/O automata. 

4.3 Embedding 

In Section 2.3 we introduced the patient operator, which takes a safe or live I/O automaton as 
argument and returns the corresponding safe or live timed I/O automaton, respectively, that 
allows time to pass arbitrarily. 

The patient operator on safe I/O automata (cf. Definition 2.34) adds an extra state compo- 
nent representing real time. When describing state spaces using state variables, we shall assume 
that the patient operator adds an extra state variable called now (as well as it adds the extra 
time-passage action v). Thus, we shall assume that now is not a state variable of any safe I/O 
automaton to which we apply patient. 

In Section 2.3 we described what it means to untime a timed execution of a patient safe 
I/O automaton. A similar definition can be given for ordinary executions: let A be a safe I/O 
automaton such that now ^ variables(A) and v ^ acts(A), and let A p = patient(A). Then for 
any a £ exec(A p ), define untime(a) to be the execution of A obtained from a by restricting 
every state to the state variables of A and removing every time-passage step (which do not 
change the state variables of A). Formally we have 

untime(a) = [](a \ (variables(A), acts(A))) 
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The following lemma, which we state without proof, says that the definition of untime(a) is 
sensible. 

Lemma 4.20 

Let A be a safe I/O automaton such that now ^ variables(A) and v ^ acts(A), and let A p = 
patient(A). Then, for any X £ t-exec(A p ) and a £ exec(A p ), if a samples X, then untime(a) = 
untime(T, ) . 



Lemma 4.21 

Let A be a safe I/O automaton and let Q be a stuttering-insensitive temporal formula over A. 
Furthermore, let A p = patient(A) . Then, for all a £ exec(A p ), 

untime(a) \= Q iff a \= Q 

Proof 

In Appendix B. 



We can now state and prove the main result of this section, namely that stuttering-insensitive 
temporal formulas carry over as environment-free liveness formulas when applying the patient 
operator. 

Proposition 4.22 

Let (A, L) be a live I/O automaton with L induced by a stuttering-insensitive temporal formula 
Q over A. Furthermore, let (A p ,L p ) = patient(A,L). Then, L p is induced by Q, and Q is 
minimal. 

Proof 

In Appendix B. 



The minimality of Q as implied by the proposition will be important when proving that a live 
timed I/O automaton correctly implements the patient version of a live I/O automaton. In fact, 
as we shall see in the next chapter, our proof techniques in the timed setting requires liveness 
conditions of certain live timed I/O automata to be induced by minimal temporal formulas. 



This concludes this chapter. We have described how to specify safe (timed) I/O automata using 
a precondition-effect language and how to use the temporal logic defined in Chapter 3 to specify 
liveness. Furthermore, this chapter contains several results which state how operations in the 
semantic model are reflected in the syntax. 

Before we start the protocol verification example in Part II of this report, the next chapter 
deals with presenting a number of proof techniques for proving correctness. 



Chapter 5 

Proof Techniques 



The previous chapters have defined the general models of timed and untimed systems that we 
will use in this work, and described our approach to specifying objects of these models. This 
chapter is devoted to presenting a host of proof techniques for proving that one live (timed) I/O 
automaton correctly or safely implements another live (timed) I/O automaton. 

In Chapter 2 the notions of safe and correct implementation are defined. These notions are, 
for both untimed and timed systems, based on the (timed) traces that the involved systems 
can exhibit. For safe implementation, all (timed) traces are considered, whereas correct imple- 
mentation restricts attention to live (timed) traces. The respective implementation notions are 
then expressed as the subset relation between the sets of all/live (timed) traces of the involved 
systems. 

For untimed systems, reasoning about implementation directly in terms of trace inclusion 
is not feasible. First of all, traces are defined implicitly as the traces of the executions, and 
second, the liveness condition is defined implicitly as the set of executions that satisfy a certain 
temporal formula. Thus, the sets of traces and live traces are not readily available but are 
derived from safe I/O automata and temporal formulas. This calls for some proof techniques 
that are based on this available information and that are sound with respect to the safe and 
correct implementation relations. 

The same discussion is valid for timed systems as well. In timed systems there is even an 
extra level of indirection since the liveness condition of a live timed I/O automaton is usually 
induced by a sampling characterization which, in turn, is induced by a temporal formula. 

We first present, in Section 5.1, the proof techniques used for untimed systems, and then, in 
Section 5.2, these techniques are extended to timed systems. Most of the techniques are taken 
from [GSSL93] and are included here to make this report self-contained. We refer to [GSSL93] 
for details and proofs. 

5.1 Untimed Systems 

This section presents a number of techniques for proving the safe implementation relation and 
assist in proving the correct implementation relation for live I/O automata. The techniques 
are based on simulations between safe I/O automata, which are sound with respect to the safe 
implementation relation, i.e., trace inclusion. 

However, as shown in [GSSL93], it turns out that a stronger result can be proved for the 
simulation techniques: that there is a certain correspondence between the executions of the 
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High Level • 
Simulation Relation 

Low Level • 




Figure 5.1 

Example of a simulation. The actions a and b are external actions. The rest of the 
transitions are thought of as labeled by internal actions. 



involved safe I/O automata and not only between their traces. Since the liveness conditions of 
live I/O automata are stated in terms of executions and not in terms of traces, this result, which 
is called the Execution Correspondence Theorem, can form the basis for the proof of the correct 
implementation relation, i.e., live trace inclusion. 

Thus, when proving correct implementation between two live I/O automata, first a simulation 
result between the safe I/O automata parts is proved and then this simulation result and the 
Execution Correspondence Theorem are used to prove live trace inclusion. 

We proceed by defining a number of simulation proof techniques and stating the Execution 
Correspondence Theorem. Then we present the proof techniques for proving the safe and correct 
implementation relations. Finally, we consider the additional proof technique of adding history 
variables. 



5.1.1 Simulation Proof Techniques 

A simulation from A to B, where A and B are safe I/O automata with the same input and 
output actions, is a relation between the states of A and the states of B such that certain 
conditions hold. A will be referred to as the concrete, low-level, or implementation safe I/O 
automaton, and B as the the abstract, high-level, or specification safe I/O automaton. 

Exactly what conditions a simulation must satisfy depend on the kind of simulation. Below 
we define notions of, e.g., forward and backward simulations which differ in few but important 
respects. Generally, however, two conditions must be satisfied: first, the start states of the two 
safe I/O automata must be related in a certain way, and, second, each step of the low-level safe 
I/O automaton must "correspond" to a sequence of steps of the high-level safe I/O automaton. 

The second condition is depicted in Figure 5.1. For each step of the low-level safe I/O 
automaton, i.e., for each low-level step, there must exist a sequence of (high-level) steps of the 
high-level safe I/O automaton between states related — by the simulation relation — to the pre- 
and post-state of the low-level step, such that the sequence of high-level steps contains exactly 
the same external actions as the low-level step. How the sequence of high-level steps is selected 
depends on what kind of simulation is considered. 

Below forward simulations, refinement mappings, and backward simulations are defined. We 
refer to [GSSL93, LV93a, Jon91] for more details about these simulations. 

The simulation techniques use invariants of the safe I/O automata to restrict the steps 
needed to be considered. Define an invariant of a safe I/O automaton A to be any set of states 
of A that is a superset of the reachable states of A. Equivalently, an invariant can be defined to 
be a state formula over A that is satisfied by at least all reachable states of A. We will use the 



5.1. Untimed Systems 65 



two definitions interchangeably. 

The following notational convention is used: if R is a relation over Si X S 2 and Si £ Si, then 
R[si] denotes the set {s 2 G S 2 \ (si,s 2 ) G R}. 

Definition 5.1 (Forward simulation) 

Let A and B be safe I/O automata with in(A) = in(B) and out(A) = out(B) and with invariants 
I A and I B , respectively. A forward simulation from A to B, with respect to I A and I B , is a 
relation / over states(A) X states(B) that satisfies: 

1. If s G start(A) then /[s] n start (B) ^ 0. 

2. If (s,a, s') G steps(A), s,s' G I a, an d m G /[s] (Mb, then there exists an a G frag*(B) with 
fstate(a) = u, Istate(a) G /[«'], and trace(a) = trace(a). 

We write A < f i? if there exists a forward simulation from Ato B with respect to some invariants 
I a and J B . If / is a forward simulation from A to B with respect to some invariants I A and J B , 
we write A < F B via /. 



A refinement mapping is a special case of a forward simulation where the relation is a function. 
Because of its practical importance (cf. [AL91]) we give an explicit definition. 

Definition 5.2 (Refinement mapping) 

Let A and B be safe I/O automata with in(A) = in(B) and out(A) = out(B) and with invariants 
I a and I B , respectively. A refinement mapping from A to B, with respect to I A and is, is a 
function r from states(A) to states(B) that satisfies: 

1. If s G start(A) then r(s) G start (B). 

2. If (s,a,s') G steps(A), s,s' G I a, an d r(s) G /s, then there exists an a G frag*(B) with 
fstate(a) = r(s), Istate(a) = r(s'), and trace(a) = trace(a). 

We write A < R B if there exists a refinement mapping from A to B with respect to some 
invariants I A and J B . If r is a refinement mapping from A to B with respect to some invariants 
I a and J B , we write A < R B via r. 



In a forward simulation there has to be a sequence of high-level steps starting from any of 
the high-level states related to the low-level pre-state and ending in some state related to the 
low-level post-state. The word "forward" thus refers to the fact that the high-level sequence of 
steps is constructed from any possible pre-state in a forward direction toward the set of possible 
post-states. 

In a backward simulation, on the other hand, there has to be a sequence of high-level steps 
ending in any state related to the low-level post-state and starting in some state related to the 
low-level pre-state. Thus, in a backward simulation the steps are constructed in a backward 
direction. 
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This difference between forward and backward simuiations impiies that they appiy to dif- 
ferent situations. In some cases a forward simulation is needed whereas other situations might 
require a backward simulation. We shall see examples of this below. 

We need the auxiliary definition of image-finiteness. A relation R over Si X S 2 is image-finite 
if for each Si G Si, R[si] is a finite set. 

Definition 5.3 (Backward simulation) 

Let A and B be safe I/O automata with in(A) = in(B) and out(A) = out(B) and with invariants 
I a and I B , respectively. A backward simulation from A to B, with respect to I A and is, is a 
relation b over states(A) X states(B) that satisfies: 

1. If s G I A then b[s]f]I B ^ 0. 

2. If s G start (A) then b[s] I B C start(B). 

3. If (s,a,s r ) G steps(A), s,s' G I A , an d m' G b[s] (Mb, then there exists an a G frag*(B) with 
Istate(a) = u' , fstate(a) G &[s] fl /s, and trace(a) = trace(a). 

We write A < B B if there exists a backward simulation from A to 5 with respect to some 
invariants I A and I B - If furthermore the backward simulation is image-finite, we write A < iB B. 
If b is a backward simulation from A to B with respect to some invariants I A and I B , we write 
^4 <b B (or A < iB B when b is image-finite) via b. 



In [LV93a] abstract notions of history variables [OG76, AL91] and prophecy variables [AL91] are 
given in terms of history relations and prophecy relations. Below, in Section 5.1.5, we consider 
history and prophecy variables and show how history variables can be added to a specification. 

5.1.2 Execution Correspondence 

This subsection introduces the Execution Correspondence Theorem (ECT). The ECT states that 
if any of the simulations from above has been proven from a low-level safe I/O automaton A to 
a high-level safe I/O automaton B, then for any execution of A, there exists a "corresponding" 
execution of B. In order to formalize this notion of correspondence, the notions of R-relation 
and index mapping are first introduced. 

Definition 5.4 (R- relation and index mappings) 

Let A and B be safe I/O automata with in(A) = in(B) and out(A) = out(B) and let R be 
a relation over states(A) X states(B). Furthermore, let a and a' be executions of A and B, 
respectively. 

a = s ais 1 a 2 s 2 • • • 
a' = u biUib 2 u 2 ■ ■ ■ 

We say that a and a' are R-related, written (a, a') G R, if there exists a total, nondecreasing 
mapping 1 m : {0, 1, . . ., \a\} — ► {0, 1, . . ., |a'|} such that 



If, e.g., a is infinite (|a| = oo), then the set {0, f , . . . , |a|} is supposed to denote the set of natural numbers 
(not including oo), and i < | or | lets i range over all natural numbers but not oo. 
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1. m(0) = 0, 

2. (si,w m (i)) G -R for all < i < \a\, 

3. £race(& m (;_i) + i • • -b m ^) = trace(ai) for all < i < |a|, and 

4. for all j, < j < \ot'\, there exists an i, < i < \a\, such that m(i) > j. 

The mapping m is referred to as an index mapping from a to a' with respect to R. 

We write (A, B) £ R if for every execution a of A, there exists an execution a' of _B such that 
(a, a') G i?. 



Thus, an index mapping maps indices of states in the low-level execution to indices of states in the 
high-level execution. Effectively, an index mapping maps low-level states to corresponding high- 
level states such that the start states correspond (Condition 1), corresponding states are related 
by R (Condition 2), and the external actions between two consecutive pairs of corresponding 
states are the same at both the low level and the high level (Condition 3). Condition 4 ensures 
that the high-level execution (a 1 ) is not "too long", i.e., a' must not extend beyond the last 
state of a' corresponding to a state in a (if such a state exists). (Note, that if a is finite, then 
a' must also be finite. However, even if a is infinite, a' can be finite if the index mapping is 
constant for indices above some bound.) 

The Execution Correspondence Theorem of [GSSL93] is now stated. The theorem states that 
if a relation S has been proved to be a forward simulation, refinement mapping, or image- 
finite backward simulation from A to B, then for any execution of A, there exists an 5-related 
execution of B. 

Theorem 5.5 (Execution Correspondence Theorem) 

Let A and B be safe I/O automata with in(A) = in(B) and out (A) = out(B). Assume for 
X G {F,R,iB} that A < x B via S. Then (A,B) G S. 



5.1.3 Proving Safe Implementation 

The simulation proof techniques presented above are sound proof techniques for the safe imple- 
mentation relation. Before we state this result, we first show two results relating the traces of 
i?-related executions. 

Lemma 5.6 

Let A and B be safe I/O automata with in(A) = in(B) and out (A) = out(B) and let R be a 
relation over states(A) X states(B). Assume that (a, a') G R and let m be any index mapping 
from a to a' with respect to R. Then, for all < i < \a\, trace(i\a) = trace( m ^\a') . 



Since for any execution a, \a = a and any index mapping maps to 0, the following corollary 
is a direct consequence of Lemma 5.6. 
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Corollary 5.7 

Let A and B be safe I/O automata with in(A) = in(B) and out (A) = out(B) and let R be a 
relation over states(A) X states(B). If (a, a') £ R, then trace(a) = trace(a'). 

■ 

Using this corollary and ECT, soundness of the simulation techniques can be proved. 

Theorem 5.8 (Soundness of simulations w.r.t. safe implementation) 

Let A and B be safe I/O automata with in(A) = in(B) and out(A) = out(B). Assume for some 
X £ {F, R, iB} that A < x B. Then A C s B. 

■ 

5.1.4 Proving Correct Implementation 

A proof strategy for proving that a live I/O automaton (A, L) correctly implements another live 
I/O automaton (B,M) is now described. 

Lemma 5.9 

Let (A,L) and (B,M) be live I/O automata with in(A) = in(B) and out(A) = out(B). Also, 
let L and M be induced by the temporal formulas Q L and Qm, respectively. Assume for some 
X G {F,R,iB} that A < x B via S. If, for all a £ exec(A) and a' £ exec(B) with (a, a') £ S, 
a \= Q L implies a' \= Qm, then (A,L) C L (B,M). 

Proof 

This lemma follows directly from a similar result in [GSSL93] and our definition of a liveness 
condition being induced by a temporal formula. 



Thus, we have the following proof strategy to prove that (A,L) is a correct implementation of 
(B,M): 

1. Prove a simulation S from A to B with respect to some invariants. 

2. Assume a and a' are arbitrary executions of A and B, respectively, and assume that 
(a, a') £ S and a is live (i.e., a \= Ql)- 

3. Prove that a' is also live (i.e., a' \= Qm)- 

This will usually be a proof by contradiction. That is, assume that a' is not live and show 
that this leads to a contradiction. This strategy gives a nice way of splitting the proof 
into cases since being live usually means satisfying a conjunction of conditions such that 
not being live means not satisfying one (at least) of these conditions. Thus, each of the 
conditions can be considered separately. 

It is evident that this proof strategy needs a way to go from temporal formulas satisfied by the 
high-level execution a' to temporal formulas satisfied by the low-level execution a. For this 
purpose we have identified the following two basic lemmas which will prove very useful in the 
verification examples in Part II of this report. 
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Lemma 5.10 

Let A and B be safe I/O automata with in(A) = in(B) and out (A) = out(B) and let R be 
a relation over states(A) X states(B). Furthermore, let a and a' be executions of A and B, 
respectively, such that (a, a') £ R. Finally, let C be a set of external actions (from the common 
set of external actions). Then 

a \= On^(C) iff a' \= On--(C) 

Proof 

In Appendix B. 



Lemma 5.11 

Let A and B be safe I/O automata with in(A) = in(B) and out(A) = out(B) and let R 
be a relation over states(A) X states(B). Furthermore, let a and a' be executions of A and 
B, respectively, such that (a, a') £ R. Assume P and Q are state formulas over A and B, 
respectively, such that for all (s,u) £ R, if u\= Q, then s\= P. Then, 

if a' \= OaQ then a \= OaP 

Proof 

In Appendix B. 



5.1.5 History and Prophecy Variables 

In [AL91] history and prophecy variables (together called auxiliary variables) are considered. 
It is shown that even though it is not possible to find a refinement mapping from A to B, by 
adding appropriate auxiliary variables to A to obtain A aux it is in most cases possible to find 
a refinement mapping from A aux to B. Then, since A can be shown to be equivalent to (i.e., 
to have the same traces as) B, the soundness of refinement mappings implies that A safely 
implements B. 

History variables are only allowed to record the past history of the system. Thus, history 
variables are allowed in each step to be assigned a value based on all variables in the system, but 
must not affect the enabledness of actions or the changes made to other (ordinary) variables. 
As we shall see below, it is easy to syntacticly define how to add a history variable to a system. 

Prophecy variables, on the other hand, are much more complicated since they are allowed 
to constrain the future behavior of the system. It is not possible to give a general syntactic 
characterization of prophecy variables. 

In [GSSL93] and [LV93a] abstract notions of history and prophecy variables are given in terms 
of history relations and prophecy relations. A system A h is then said to be obtained from A 
by adding history variables if there exists a history relation from A to A h , and similarly for 
prophecy variables. 

The motivation for adding, e.g., history variables to a specification A to obtain A h is to 
ensure that a refinement mapping from A h to some high-level specification B can be devised. 
But since the existence of a history relation from A to A h implies that there exists a forward 



70 5. Proof Techniques 



simulation from A to A h , it is clear that it is possible to define a forward simulation directly 
from A to B and thereby avoid mentioning A h at all. (The forward simulation from A to B 
would be the composition of the forward simulation from A to A h and the refinement mapping 
from A h to B.) 

Similarly, instead of adding prophecy variables to A to get A p such that a refinement mapping 
from A p to B can be devised, it is possible to define a backward simulation directly from A to 
B. 

Now, since history variables can be defined using simple syntactic constraints, they are almost 
free to use, as opposed to prophecy variables. Thus, the approach we take is to use history 
variables whenever possible (which allows us to use refinement mappings instead of the more 
complicated notion of forward simulations) but to use backward simulations instead of having 
to deal with prophecy variables. Whether to use prophecy variables or backward simulations is 
a matter of taste and probably amounts to the same effort. When using backward simulations 
the complexity lies in showing that the relation is in fact a backward simulation, and when 
using prophecy variables the complexity lies in showing that the variables are in fact prophecy 
variables (which is done in a proof that actually has the flavor of a backward simulation). 

Syntactically Adding History Variables 

Let there be given a syntactic description of a safe I/O automaton A. Then a history variable 
h (^ variables(A)) can be added to A to get A h as follows: 

1. To the list of state variables of A, append a line with h, the type of h, and the initial value 
ofh. 

2. To each step rule of the form 

name 

Precondition: 
P 

Effect: 

E 

an assignment to h may be added 

name 

Precondition: 

P 
Effect: 

E 

h := e 

where e is an expression that may mentions h as well as other variables. Note, that 
the assignment to h may appear in an if-then-else statement, and that it may be moved 
anywhere in the effect clause since this does not affect the assignment of values to any of 
the other variables (but of course could affect the value assigned to h). 

For step rules for input actions, which have no precondition, the assignment to the history 
variable can be added to the effect clause similarly. 
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We say that A h is obtained from safe I/O automaton A by adding the history variable h if the 
syntactic specification of A h can be obtained from that of A by 1) and 2). In this case, clearly A h 
is a safe I/O automaton and variables(A h ) = variables(A) U {h}. The following simple lemma 
states the close correspondence between the steps of A and A h . 

Lemma 5.12 

Let A h be obtained from A by adding history variable h. Then, 

1. for each (s, a, s') £ steps(A) and each s h £ states(A h ) with s h \ variables(A) = s, there 
exists a step (s h ,a,s' h ) £ steps(A h ) such that s' h \ variables(A) = s' , and 

2. for each (s h ,a,s' h ) £ steps(A h ), (s h \ variables(A) , a, s' h \ variables(A)) £ steps(A). 



Lemma 5.13 

Let A h be obtained from A by adding history variable h. Then, 

1. for each execution a £ exec(A), there exists an execution a h £ exec(A h ) such that a h \ A 
a, and 

2. for each execution a h £ exec(A h ), a h \ A £ exec(A). 

Proof 

In Appendix B. 



Instead of proving the existence of a history relation from A to A h we directly prove that A 
safely implements A h and vice versa. 

Lemma 5.14 

Let A h be obtained from A by adding history variable h. Then A C s A h and A h C s A. 

Proof 

In Appendix B. 



We now turn attention to live I/O automata. Let (A, L) be a live I/O automaton and let A h be 
a safe I/O automaton obtained from A by adding history variable h. Define 

L h = {a h G exec(A h ) \ a h \ A £ L} 

Then (A h , L h ) is a live I/O automaton since any environment-free strategy (g, /) for (A, L) can 
be trivially extended to an environment-free strategy (gu, fh) f° r (Ah,L h ) by letting g h and f h 
be like g and / except that they make arbitrary (possible) assignments to the history variable. 
We say that (A h ,L h ) is a live I/O automaton obtained from (A,L) by adding history variable 
h. 
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Lemma 5.15 

Let (A h ,L h ) be obtained from (A,L) by adding history variable h. Then (A,L) C L (A h ,L h ) and 
(A h ,L h )Q L (A,L). 

Proof 

In Appendix B. 



The final lemma of this section deals with liveness formulas. 

Lemma 5.16 

Let (A h ,L h ) be obtained from (A,L) by adding history variable h, and assume that L is induced 
by Q. Then L h is induced by Q. 

Proof 

In Appendix B. 



We can now turn attention to similar techniques to be used in the timed setting. 

5.2 Timed Systems 

The structure of this section is similar to the structure of Section 5.1. 

5.2.1 Timed Simulation Proof Techniques 

There are only two minor differences between the simulation relations presented here and the 
simulation relations from the untimed case. First, states related by a simulation relation must 
have the same time. Second, since the trace operator on execution fragments does not adequately 
abstract from time-passage actions, the simulation techniques below use a notion of visible trace. 
For any timed automaton A and any execution fragment a of A, define the visible trace of 
a, written vis-trace A (a), or just vis-trace(a) when A is clear from context, to be a \ vis(A). 
Similarly, given any sequence of actions /3, define the visible trace of /3, written vis-trace A ((3), 
or just vis-trace(P) if A is clear from context, to be (3 \ vis(A). 

We now introduce the notions of timed forward simulations, timed refinement mappings, and 
timed backward simulations. 

Definition 5.17 (Timed forward simulation) 

Let A and B be safe timed I/O automata with in(A) = in(B) and out(A) = out(B) and with 
invariants L A and L B , respectively. A timed forward simulation from A to B, with respect to L A 
and L B , is a relation / over states(A) X states(B) that satisfies: 

1. If u G f[s] then u.now = s.now. 

2. If s £ start (A) then f[s] l~l start (B) ^ 0. 
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3. If (s,a,s') G steps(A), s,s' G I A , an d u G f[s] (Mb, then there exists an a G frag*(B) with 
fstate(a) = u, Istate(a) G f[s'], and vis-trace(a) = vis-trace(a). 

Write A < tF B if there exists a timed forward simulation from A to B with respect to some 
invariants I A and I B - If / is a timed forward simulation from A to B with respect to some 
invariants I A and I B , we write A < tF B via /. 



Definition 5.18 (Timed refinement mapping) 

Let A and B be safe timed I/O automata with m(A) = in(B) and ow£(A) = out(B) and with 
invariants i^ and I B , respectively. A timed refinement mapping from A to B, with respect to 
7,1 and I B , is a function r from states(A) to states(B) that satisfies: 

1. r(s).now = s.now. 

2. If s G start(A) then r(s) G start (B). 

3. If (s,a,s') G steps(A), s,s' G /a, and r(s) G Ib, then there exists an a G frag*(B) with 
fstate(a) = r(s), Istate(a) = r(s'), and vis-trace(a) = vis-trace(a). 

Write A < tR B if there exists a timed refinement mapping from A to B with respect to some 
invariants I A and I B - If r is a timed refinement mapping from A to B with respect to some 
invariants I A and I B , we write A < tR B via r. 



Definition 5.19 (Timed backward simulation) 

Let A and B be safe timed I/O automata with m(A) = in(B) and ow£(A) = out(B) and with 
invariants i^ and I B , respectively. A timed backward simulation from A to B, with respect to 
i^ and I B , is a relation 6 over states(A) X states(B) that satisfies: 

1. If m G &[s] then u.now = s.now. 

2. If s G /a then b[s] l~l 7 B 7^ 0. 

3. If s G start(A) then 6[s] n 7 B C start(B). 

4. If (s,a,s') G steps(A), s,s' G /a, and vl G &[s'] fl /s, then there exists an a G frag*(B) 
with Istate(a) = u' , fstate(a) G &[s] fl Ib, and vis-trace(a) = vis-trace(a). 

Write A < tB B if there exists a timed backward simulation from A to B with respect to 
some invariants I A and I B - If furthermore the timed backward simulation is image-finite, write 
A <hb B. If b is a timed backward simulation from A to B with respect to some invariants I A 
and I B , we write A < iB B (or A < JtB i? when b is image-finite) via b. 
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5.2.2 Execution Correspondence 

As in the untimed case, the simulation relations imply a certain correspondence between the 
ordinary executions of the involved timed automata. The following definition formalizes this 
correspondence, called timed R-relation, and defines a notion of timed index mapping. The 
definition is similar to Definition 5.4 in the untimed model; the only differences are that the R 
relation must relate states with the same time and that the definition below deals with visible 
traces as opposed to traces, i.e., the same differences as in the simulations. 

Definition 5.20 (Timed i?-relation and timed index mappings) 

Let A and B be safe timed I/O automata with in(A) = in(B) and out(A) = out(B), and 
let R be a relation over states(A) X states(B) such that if (s,u) £ R, then s.now = u.now. 
Furthermore, let a and a' be (ordinary) executions of A and B, respectively. 

a = s ais 1 a 2 s 2 • • • 
a' = u biUib 2 u 2 ■ ■ ■ 

Let a and a' be timed R-related, written (a, a') 6* R, if there exists a total, nondecreasing 
mapping m : {0, 1 , . . ., |a|} — ► {0, 1 , . . ., |a'|} such that 

1. m(0) = 0, 

2. (si,w m (i)) G R for all < i < \a\, 

3. vis-trace(b m (i_i^ + i ■ ■ -b m ^) = vis-trace(ai) for all < i < \a\, and 

4. for all j, < j < \a'\, there exists an i, < i < \a\, such that m(i) > j. 

The mapping m is referred to as a timed index mapping from a to a' with respect to R. 

Write (A,B) 6* R if for every execution a of A, there exists an execution a' of B such that 
(a, a') G t R. 



Now the Execution Correspondence Theorem for the timed case [GSSL93] can be stated. 

Theorem 5.21 (Execution Correspondence Theorem) 

Let A and B be safe timed I/O automata with in(A) = in(B) and out (A) = out(B). Assume 
for X e {tF,tR,itB} that A < x B via S. Then (A,B) e t S. 



5.2.3 Proving Safe Timed Implementation 

Due to the fact that timed i?-related executions have the same time in related states and have 
a correspondence between the their visible traces, it is possible to prove that timed i?-related 
executions have the same timed traces. 

Lemma 5.22 
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Let A and B be safe timed I/O automata with in(A) = in(B) and out (A) = out(B) and let R 
be a relation over states(A) X states(B) such that if(s,u) G R then s.now = u.now. Then, if 
(a, a') G< R, then t-trace(a) = t-trace(a'). 



The soundness of the timed simulations with respect to the timed safe preorders can now be 
stated. 

Theorem 5.23 (Soundness of timed simulations w.r.t. safe timed implementation) 

Let A and B be safe timed I/O automata with in(A) = in(B) and out (A) = out(B). Assume 
for some X G {tF,tR,itB} that A < x B. Then A C st B. 



5.2.4 Proving Correct Timed Implementation 

We can prove the following result which is similar to Lemma 5.9 in the untimed setting. This 
lemma will form the basis of any proof of correct implementation in the timed setting. 

Lemma 5.24 

Let (A,L) and (B,M) be live timed I/O automata with in(A) = in(B) and out(A) = out(B). 
Also, let L and M be induced by Q L and Qm, respectively, and assume that Q M is minimal. 
Assume for some X G {tF,tR,itB} that A < x B via S. If, for all a G ea;ec 00 (4_) and a' G 
execf°(B) with (a, a') G S, a \= Q L implies a' \= Qm, then (A,L) C Lt (B,M). 



Proof 

This lemma directly follows from a similar result in [GSSL93] and our definition of a sampling 
characterization being induced by a temporal formula. 



Lemma 5.24 can be used to prove the correct timed implementation relation between two live 
timed I/O automata in a manner similar to the way Lemma 5.9 is used in the untimed model. 
However, one must first prove that the high-level liveness condition is induced by a minimal 
timed liveness formula. 

The following lemmas correspond to Lemmas 5.10 and 5.11 above. 

Lemma 5.25 

Let A and B be safe timed I/O automata with in(A) = in(B) and out(A) = out(B) and let R be 
a relation over states(A) X states(B) such that if(s,u) G R, then s.now = u.now. Furthermore, 
let a and a' be executions of A and B, respectively, such that (a, a') G R. Finally, let C be a 
set of visible actions (from the common set of visible actions). Then 

a \= On--(C) iff a' \= On--(C) 
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Proof 

Similar to the proof of Lemma 5.10. 

■ 

Lemma 5.26 

Let A and B be safe timed I/O automata with in(A) = in(B) and out (A) = out(B) and let R be 
a relation over states(A) X states(B) such that if(s,u) £ R, then s.now = u.now. Furthermore, 
let a and a' be executions of A and B, respectively, such that (a, a') £ R. Assume P and Q are 
state formulas over A and B, respectively, such that for all (s,u) £ R, if u \= Q, then s \= P. 
Then, 

if a' \= OaQ then a \= OaP 

Proof 

Similar to the proof of Lemma 5.11. 

■ 

5.2.5 History and Prophecy Variables 

As in the untimed setting it is possible to add history variables to safe and live timed I/O au- 
tomata. As above we only deal with history variables and adhere to timed backwards simulations 
instead of using prophecy variables. 

Syntactically Adding History Variables 

The syntactic rules for adding history variables to a safe timed I/O autoamaton are equal to 
the same rules in the untimed setting. However, in the timed setting, we do not allow history 
variables to be updated in time-passage steps since otherwise the resulting object would not 
necessarily be a safe timed I/O automaton (that is, the trajectory axiom S5 of Definition 2.17 
could be violated). Thus, a history variable h (^ variables(A)) can be added to a safe timed 
I/O automaton A to get A h by following the two rules in Section 5.1.5 with the restriction 
that h must not be changed in the step rule for the time-passage action v. We say that A h is 
obtained from A by adding the history variable h. Clearly A h is a safe timed I/O automaton 
and variables(A h ) = variables(A) U {h}. 

In previous chapters we have defined how to restrict ordinary executions to subsets of state 
variables and actions. Below we need a similar result for timed executions, however, we need 
only deal with restriction to a subset of the state variables. So, let X = uj aiUJia 2 ijJ2 • • • be a timed 
execution of a safe timed I/O automaton A. Then, for any set V C variables(A), define X \ V to 
be the sequence o^a^^o^ • • •, where for each index i and each t £ dom(uji), u'^t) = oji(t) \ V. 
Thus, informally S \ V is obtained from S by restricting all states in the range of all trajectories 
to V. If A h is obtained from A by adding history variable h and T, h £ t-exec(A h ), we let T, h \ A 
be a shorthand for T, h \ variables(A). 

As in the untimed case, we have the following lemmas. 

Lemma 5.27 

Let A h be obtained from A by adding history variable h. Then, 



5.2. Timed Systems 77 



1. for each (s, a, s') £ steps(A) an<i eac/i s ft £ states(A h ) with s h \ variables(A) = s, there 
exists a step (s h ,a,s' h ) £ steps(A h ) such that s' h \ variables(A) = s' , and 

2. for each (s h ,a,s' h ) £ steps(A h ), (s h \ variables(A) , a, s' h \ variables(A)) £ steps(A). 



Lemma 5.28 

Let A h be obtained from A by adding history variable h. Then, 

1. for each timed execution S £ t-exec(A), there exists a timed execution T, h £ t-exec(A h ) 
such that Y< h \ A = S, and 

2. for each timed execution T, h £ t-exec(A h ), T, h \ A £ t-exec(A). 

Proof 

In Appendix B. 



These lemmas allow us to prove that a safe timed I/O automaton A is a safe implementation of 
any safe timed I/O automaton A h obtained by adding history variable h to A, and vice versa. 

Lemma 5.29 

Let A h be obtained from A by adding history variable h. Then A C st A h and A h C st A. 

Proof 

Similar to the proof of Lemma 5.14 by using Lemma 5.28. 



Now, let (A,L) be a live timed I/O automaton and let A h be a safe timed I/O automaton 
obtained from A by adding history variable h. Define 

L h = {Z h et-exec°°(A h )\Z h \ A £ L} 

Then (A h , L h ) is a live timed I/O automaton since any environment-free strategy (g, /) for (A, LU 
t-exec zt (A)) can be trivially extended to an environment-free strategy (g h , f h ) for (A h ,L h U 
t-exec zt (A h )) by letting g h and f h be like g and / except that they make arbitrary (possible) 
assignments to the history variable. We say that (A h , L h ) is alive timed I/O automaton obtained 
from (A, L) by adding history variable h. 

Lemma 5.30 

Let (A h , L h ) be obtained from (A, L) by adding history variable h. Then (A, L) C Lt (A h , L h ) and 
(A h ,L h )Q Lt (A,L). 

Proof 

Similar to the proof of Lemma 5.15 by using Lemma 5.28. 
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Before we can prove the final lemma, which deals with timed liveness formulas, we state the 
following trivial result without proof. 

Lemma 5.31 

Let A h be obtained from A by adding history variable h. Furthermore let a h and T, h range 
over exec(A h ) and t-exec(A h ), respectively, and let a and X range over exec(A) and t-exec(A), 
respectively. Then, 

1. if a h samples T, h then a h \ A samples T, h \ A, and 

2. if a samples T, h \ A, then there exists an a h such that a = a h \ A and a h samples T, h . 



Lemma 5.32 

Let (A h ,L h ) be obtained from (A,L) by adding history variable h, and assume that L is induced 
by Q. Then L h is induced by Q. 

Proof 

In Appendix B. 



This concludes the theoretical part of the report. We now turn attention to the verification 
example of proving correctness of two solutions to the at-most-once message delivery problem. 



Part II 

Reliable At-Most-Once Message 
Delivery Protocols 

A Protocol Verification Example 



Chapter 6 

Specification S 



This chapter describes the top-level specification of the "at-most-once message delivery" prob- 
lem. The specification will be given in terms of a live I/O automaton. The objective of the S 
level is to give a clear, easy-to-understand specification that can easily be checked to have the 
desirable behavior. 

The at-most-once message delivery problem is that of delivering a sequence of messages 
submitted by a user at one location to another user at another location. Ideally, we would like 
to insist that ah messages be delivered in the order in which they are sent, each exactly once, 
and that an acknowledgement be returned for each delivered message. 1 

Unfortunately, it is expensive to achieve these goals in the presence of failures (e.g., node 
crashes). In fact, it is impossible to achieve them at all unless some change is made to the 
stable state (i.e., the state that survives a crash) for each message. To permit less expensive 
solutions, we weaken the statement of the problem slightly. We allow some messages to be lost 
when a node crash occurs; however, no messages should otherwise be lost, and those messages 
that are delivered should not be reordered or duplicated. (The specification is weakened in this 
way because message loss is generally considered to be less damaging than duplicate delivery.) 
Now it is required that the user who sent the message receive either an acknowledgement that 
the message has been delivered, or in the case of crashes, an indication that the message might 
have been lost. 

Even though our specification S is centralized (i.e., has no distributed structure), the external 
actions of S can be partitioned into actions connected to the user at the sender side and actions 
connected to the user at the receiver side. This user interface, which will be the same for all 
subsequent implementations, is depicted in Figure 6.1, where the specification S is shown as a 
"black box". 

A user can send a message m to the system by issuing a send_msg(m) action, and the system 
can pass a message m to the user at the receiver end by means of a receive _msg(m) action. 
Crashes at the sender and receiver sides are modeled as inputs crash s and crash r , respectively 2 , 
and the corresponding recovery actions are outputs recover s and recover,.. If a crash s but not 
yet a recover s action has occurred, we say the the sender side is crashed or equivalently that 
it is in recovery phase. Correspondingly for the receiver side. During a crash messages can be 
lost. This is in S modeled by a lose(T) actions (not depicted in Figure 6.1 since it is internal). 



Our definition of at-most-once message delivery is different from what some people call at-most-once message 
delivery in that we include acknowledgements and require messages to be delivered in order. 

We will use subscripts s and r on actions and state variables to indicate which are related to the sender and 
receiver sides, respectively. 
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Figure 6.1 

The specification S as a "black box" 



Finally, there is a simple acknowledgement mechanism incorporated into the specification. 
An action ack(b), where b is a Boolean, notifies the user at the sender side about the status of 
the last message sent. If acknowledgements are needed for each message, the user must wait for 
acknowledgement before sending the next message. Our simpler acknowledgement mechanism 
reflects the way typical low-level protocols work. Thus, if the user sends a sequence of messages 
rrii, ■ ■ -i m n without waiting for acknowledgement between each pair of messages, a subsequent 
acknowledgement will be for message m n . Ideally, an ack(true) should be issued if the last 
message sent has been successfully delivered to the receiver, and an ack(false) should be issued 
if the last message has been lost during a crash. This is, again, impossible to obtain in a 
distributed implementation unless some changes are made to the stable state for each message, 
so we will use a weaker acknowledgement mechanism: if an ack(true) is issued, the last message 
has been successfully receiver. If, on the other hand, an ack(false) is issued, the only thing the 
user can infer is that a crash has occurred. Thus, even in the case of negative acknowledgement, 
the last message might have been successfully delivered since all messages are not necessarily 
lost during crashes. 

6.1 The Specification of S 

We now define the live I/O automaton representing the specification S. We will let S represent 
both the name of this level of development and the name of the live I/O automaton. 

We specify S by defining its components (cf. Definitions 2.1 and 2.8). We refer to the safe 
I/O automaton part of S by As, and to the liveness part by L s . Thus, S = (A S ,L S ). L s will be 
specified implicitly by an environment-free liveness formula Q s for A s . 



6.1.1 States and Start States 

In S and the lower level protocols we assume that messages are taken from a set Msg. We require 
that nil ^ Msg but assume no other properties of Msg. 

The state space of S is made up of four state variables as shown in the following table, which 
furthermore shows the types and initial values of the state variables. The status variable ranges 
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over the set 

Stat = BoolU{?} 



Variable 


Type 


Initially 


Description 


queue 


Msg* 


e 


The list of messages sent but not yet delivered. 


rec s 


Bool 


false 


true iff the sender side has crashed and not yet 
recovered. 


rec r 


Bool 


false 


true iff the receiver side has crashed and not yet 
recovered. 


status 


Stat 


false 


Indicates the status of the last message sent. The 
special value '?' indicates that the last message 
sent is still in queue and no crashes have occurred 
since it was sent. 



6.1.2 Actions 

The set of actions of S consists of the input and output actions from Figure 6.1 plus the internal 
lose(T) action. 

Input: 

send_msg(m), m £ Msg 

crash s 

crash r 
Output: 

receive _msg(m) , m £ Msg 

ack(b), b £ Bool 

recover., 

recover r 
Internal: 

lose(I), I C N 

6.1.3 Steps 

The transition relation steps(A s ) will be specified using the precondition- effect style presented 
in Section 4. 1. 1. 



send_msg(m) 
Effect: 



queue := queue m 
status : = ? 



ack(b) 

Precondition: 

status = b 
Effect: 

none 



receive jmsg{m) 
Precondition: 
queue /eA 
head(queue) = m 
Effect: 

queue := tail(queue) 
if queue = e A status = ? then 
status := true 



crash s 
Effect: 

rec s 



true 



crash r 
Effect: 
rec r 



true 
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lose(I) 

Precondition: 

(rec s = true V rec r = true) A 7 C dom(queue) 
Effect: 

if queue /eA maxidx(queue) £ 7 

status := false 
else 

optionally status := false 
queue := delete(queue, I) 

recover., recover r 

Precondition: Precondition: 

rec s = true rec r = true 

Effect: Effect: 

rec s := false rec r := false 

The function delete in the step rule for lose(T) deletes messages with indices in / from queue. 
Formally, for any list q and any set / C dom(q), define 

delete(q,T) = (q[i] \ i £ dom(q) A i £ I) 

The notation to the right of = is defined in Appendix A. 

The handling of queue, rec s , and rec r in the step rules is self-explanatory. The handling of 
status is a bit more complicated: when a new message m is sent to the system (modeled by 
send_msg(m) steps), status is changed to ? to indicate that the last message sent is in queue. 
When a message is delivered to the receiver (modeled by receive _msg(m) steps) and queue 
thereby becomes empty, status should be changed to true, but only if the message delivered 
is in fact the last message sent and not another message, which happens to be last on queue 
because the last message sent has been lost in a crash. Thus, at any point a status value of ? 
indicates that the message at the end of queue is actually the last message sent by the sender. 
This explains the receive _msg(m) steps. The lose(T) action then records if the message at the 
end of queue is lost by changing status to false. (If the message at the end of queue is not the 
last message sent, status would already be false). On the other hand, if the message at the end 
of queue is not deleted, we are still allowed to change status to false according to our informal 
description of the acknowledge mechanism given in the introduction to this chapter. 

Note, that it is possible for the system to output a positive acknowledgement for a message 
and then "change its mind" and start issuing negative acknowledgements. However, this change 
of mind can only happen during a crash. (In such a situation the user knows that the last 
message has been delivered since she has received a positive acknowledgement.) 

Another thing to note is the fact that the ack(b) steps do not disable themselves. Thus, once 
status becomes true or false, acknowledgements can be sent continuously until a new message 
is put into queue by a send_msg(m) step. (Actually, with the liveness restrictions we present 
below, acknowledgements must be issued infinitely often if status stays true or false, and no 
crashes occur.) A remedy to this situation would be to introduce an additional flag, which is 
set when status is changed from ? to a Boolean, and reset when an acknowledgement is issued. 
Acknowledgements should then only be enabled when this flag is set. We have chosen not to 
introduce the flag since it would only add few interesting aspects to the implementations. 
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6.1.4 Liveness 

We now present the environment-free liveness formula Q s for As, which induces the liveness 
condition L s . The liveness we specify for S is weak fairness to four sets of locally-controlled 
actions. Two of these sets have associated forcing conditions. Note, that lose(F) actions are not 
in any set since we do not want to force the system to lose anything. Informally, the sets and 
forcing conditions are. 

1. ack(b) actions 

Forcing condition: rec s = rec r = false 

2. receive _msg(m) actions 

Forcing condition: rec s = rec r = false 

3. recover s 

4. recover,. 

With these liveness restrictions we guarantee that in the absence of crashes, messages in queue 
will be delivered and acknowledgements for the last message will be issued unless new messages 
are sent to the system. Furthermore, both the sender side and the receiver side are guaranteed 
to recover after a crash. (This requirement on recovery could be removed from all levels of 
abstraction without affecting other liveness properties. All interesting liveness properties are, in 
fact, conditioned by the assumption that no new crashes occur.) 

The liveness requirements can be formalized in the following way. Let 

Cs,i = {ack(true), ack(false)} 

Cs,2 = {receive _msg(m) \ m £ Msg} 

Cs,3 = {recover s } 

Cs,4 = {recover r } 

Then the formalization of Q s is 

Q s = WF(C's t i, rec s = false A rec r = false) A 
WF{Cs,2i rec s = false A rec r = false) A 
WF(C Si3 ) A 

WF(C S , 4 ) 

By Lemma 4.7, Qs is an environment-free liveness formula for A s . Thus, S = (A S ,L S ) is a live 
I/O automaton. Furthermore, by Lemma 4.8, Qs is stuttering-insensitive. 

This concludes the formal specification of the at-most-once message delivery problem. 



Chapter 7 

Delayed-Decision Specification D 



In our specification S, presented in Chapter 6, we saw that it is allowed to lose any number of 
messages in the system, but only if either rec s or rec r is true, i.e., we can only lose messages 
between crash and recovery. In the low-level protocols we consider, the choice whether or not 
to lose a message because of a crash may be postponed until after recovery and the choice 
is dependent on certain race-conditions on the network channels: a message m traveling on a 
channel and the receiver have no way of knowing if the sender has crashed, so even if the sender 
has crashed, the message might still be successfully received by the receiver. But, if the sender 
recovers and sends a new message on the channel, the reception of this new message before m 
(our channels are not FIFO) will lead to the discartion of m when it is eventually received (since 
otherwise messages could be reordered). 

This postponing of nondeterministic choices suggests that we at one point have to rely on a 
backward simulation to prove correctness of the low-level protocols. In a first attempt, a timed 
backward simulation was proved directly from the Clock-Based Protocol C to S (or rather the 
patient version of S). A lot of this work would have had to be repeated in a backward simulation 
from the Five-Packet Handshake Protocol H to S, so after having designed the Generic Protocol 
G, we proved a backward simulation from G to S, and could then do with a timed refinement 
from C to patient(G) and a refinement from H to G. 

Still, the proof from G to S was very large and comprehensive. It is our experience that 
backward simulations are generally difficult to deal with, mainly because they are not so intuitive 
as forward simulations. This observation led us to try to "limit" the backward simulation to 
a development step as small as possible. Generally, one should always try to find steps of 
development that are intuitive, and remember that a series of steps (with proofs) are generally 
easier to comprehend than is one big proof, even though the combined length of the small proofs 
might exceed the length of the big proof. 

So, as an intermediate level between S and G we came up with the Delayed-Decision Spec- 
ification D, which looks very much like S, but instead of deleting messages between crash and 
recovery, D marks arbitrary messages, and marked messages can then be lost at any point. D 
also deals with postponing of losing (i.e., changing to false) the status as the result of a crash. 
When we describe the steps of D, we will further explain the differences between S and D. 

It should be noted, that even though we postpone the decision about which messages to lose, 
only messages which were in the system between crash and recovery can be lost. A system that 
did not satisfy this restriction could not, of course, implement S. 

The rest of this chapter is organized as follows. First, in Section 7.1, we present D and then, in 
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Section 7.2, we prove that D correctly implements S. 

7.1 The Specification of D 

We specify D = (A D ,£ D ) as a live I/O-automaton using the notation introduced in Chapter 4. 
i D will be specified implicitly by the environment-free liveness formula Q D for A-q. 

7.1.1 States and Start States 

The marks we put on messages and status are taken from the following set: 
Flag = {OK, marked} 



Variable 


Type 


Initially 


Description 


queue 


(Msg X Flag)* 


e 


The list of messages in the system. Each 
message has an associated flag. If the flag 
value is marked, the message might be lost 
in a subsequent drop(I) action. 


rec s 


Bool 


false 


true iff the sender has crashed and not yet 
recovered. 


rec r 


Bool 


false 


true iff the receiver has crashed and not yet 
recovered. 


status 


Stat X Flag 


(false, OK) 


Indicates the status of the last message sent. 
If the associated flag is marked, the status 
might be changed to false in a subsequent 
drop(I) action. 



We use the normal record notation to extract components of a value or variable. For instance, 
status. stat and status. flag extract the status value and status flag from status. 

We say that status is marked if status. flag = marked, and correspondingly an element e of 
queue is marked if e.flag = marked. If en element of queue or the status is not marked, it is said 
to be OK or "not marked". 



7.1.2 Actions 

The input and output actions, i.e., the user interface, of A D is, of course, the same as for A s . 
A^ has the internal actions mark (I), unmark(I), and drop(I). 

Input: 

send_msg(m), m £ Msg 

crash s 

crash r 
Output: 

receive _msg(m) , m £ Msg 

ack(b), b £ Bool 

recover., 

recover r 
Internal: 
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mark(I), I C N 
unmark(I), I C N 
drop(I), I C N 



7.1.3 Steps 

Here we present the steps of A D . An explanation of the steps is offered below. 



send_msg(m) 
Effect: 

queue := queue ~ (m, OK) 
status := (?,0K) 

ack(b) 

Precondition: 

status. stat = b 
Effect: 

status. flag = OK 



receive jmsg(m) 
Precondition: 
queue /eA 

(head(queue)) .msg = m 
Effect: 

queue := tail(queue) 
if queue = e A status. stat = ? then 
status. stat := true 



crash s 
Effect: 

rec. 



true 



crash r 
Effect: 
rec r 



true 



mark(I) 

Precondition: 

(rec s = true V rec r = true) A / C dom(queue) 
Effect: 

queue := mark(queue, I) 

optionally status. flag := marked 

recover.. 

Precondition: 

rec s = true 
Effect: 

rec s := false 



recover r 

Precondition: 

rec r = true 
Effect: 

rec r := false 



unmark(I) 

Precondition: 

/ C dom(queue) 
Effect: 

queue := unmark(queue, I) 

optionally status. flag := OK 

drop(I) 

Precondition: 

/ C {i | i G dom(queue) A queue[i].flag = marked} 
Effect: 

if queue /e A maxidx(queue) £ / then 

status := (false, OK) 
else if status. flag = marked then 
optionally status := (false, OK) 
queue := delete(queue, I) 



In the step rule for drop we use the function delete, which was defined in Chapter 6 and used in 
the definition of lose(T) at the S level. The precondition of drop(T) guarantees that only marked 
messages are deleted. The step rule for mark uses a function mark, which is intended to mark 
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messages with indices in /. Formally, for any queue q £ (Msg X Flag)* and any set / C dom(q), 
define 

mark(q,I) = ((if i £ I then (q[i].msg, marked) else q[i]) \ i £ dom(q)) 

Similarly, the step rule for unmark uses the function unmark defined as 

unmark(q,I) = ((if i £ / then (q[i].msg, OK) else q[i]) \ i £ dom(q)) 

Furthermore, note that when a new message is put into queue (by send_msg(m)), the message 
and status get the flag OK to indicate that they cannot be lost (yet). In the definition of the 
receive _msg(m) steps it is seen that a message might be successfully delivered to the receiver 
even though it is marked. This is because a marked message only has the possibility of being 
deleted. 

Recall from the definition of S that there are two ways in which status can be lost (i.e., get a 
status value of false), and both ways are described in the definition of lose(T) in A s : 1) if the 
element at the end of the queue is deleted, then the status is required to be lost, and 2) in any 
lose(T) step the status may be lost. 

In A D a status flag of marked corresponds to point 2), i.e., that status may be lost. In 
the mark(T) steps of A D permission is given to lose some messages and maybe status. Then 
in drop(T) steps of A D , which does the actual deleting performed by lose(T) in As, status is 
required to be lost if the element at the end of queue is deleted, even though status is OK. This 
corresponds to point 1) above, where status is required to be lost. Steps labeled by drop(T) is, 
of course, always allowed to lose a marked status. 

The effect clause in the definition of the ack(b) steps is explained as follows: suppose status. stat = 
? and that status. flag has been changed to marked during a crash (by mark(I)). In a subse- 
quent receive _msg(m) step that empties queue, status. stat is changed to true which enables 
an ack(true) action. After the receive _msg(m) step, status = (true, marked), so there is still 
a possibility of losing status. However, once a positive acknowledgement has been issued, the 
system must not lose status and start issuing negative acknowledgements. Remember from the 
S level that the system is only allowed to change its mind in this respect during a crash. Thus, 
by changing status. flag to OK in the ack steps, we disallow this change of mind. Note, that it 
would be too restrictive to change status to (true, OK) in receive _msg(m) since we want A D to 
be as nondeterministic as possible, to allow as many implementations as possible. 

Another point where we have made A D very nondeterministic is in the way messages (and 
status) are marked and deleted. In a mark (I) step some messages are marked and in an 
unmark (I) step, which can happen at any time, some of the marked messages can be made 
OK again, and finally in a drop(T) step, some of the marked messages are deleted. 

Here, again, the point is that we want A D to be as nondeterministic as possible. Of course 
the effect of marking some elements could be obtained by a "deterministic" mark that marks 
everything followed by unmark (I). However, when performing simulation proofs from lower 
levels of abstraction, it is desirable, for clarity, to have as nondeterministic actions of A D as 
possible. Thus, by removing nondeterminism from A D , which could not jeopardize its correctness 
with respect to A s , we might rule out some implementations and make the correctness proofs 
of other implementations more cumbersome. 



7.2. Correctness of D 91 

7.1.4 Liveness 

As at the S level, we specify liveness in terms of fairness. Specifically, the liveness condition i D 
at the D level will be specified implicitly as an environment-free liveness formula Q D for A D . 
Qy> will be stated as a conjunction of four weak fairness formulas, two of which have associated 
forcing conditions. We do not require fairness on the actions mark(I), unmark(I), and drop(I). 
Informally, we have the four weak fairness conjuncts: 

1. ack(b) actions 

Forcing condition: rec s = rec r = false 

2. receive _msg(m) actions 

Forcing condition: rec s = rec r = false 

3. recover s 

4. recover,. 

This ensures the same liveness as at the S level. Formally, let 

Cd,i = {ack(true), ack(false)} 

C'v t 2 = {receive _msg(m) \ m £ Msg} 

Cd,3 = {recover s } 

Cd^ = {recover r } 

Then the formalization of Q D is 

Qb = WF(Cd,i, rec s = false A rec r = false) A 
WF{C-D t 2i rec s = false A rec r = false) A 
WF(C Ui3 ) A 

WF(C Bt4 ) 

By Lemma 4.7, Qv is an environment-free liveness formula for A-q. Thus, D = (A D , i D ) is a live 
I/O automaton. Furthermore, by Lemma 4.8, Qv is stuttering-insensitive. 

This concludes the Delayed-Decision Specification of the at-most-once message delivery problem 
and attention is now turned towards proving that D correctly implements S. 

7.2 Correctness of D 

In this section we prove that D = (A D ,i D ) is a correct implementation of our specification 
S = (As, L s ). First we give some invariants of A D . Then we prove, by means of an image-finite 
backward simulation, that A D safely implements A s , and finally we use this simulation result to 
prove that D correctly implements S. 

7.2.1 Invariants 

We only need one invariant in the proof. The invariant should be understood as the conjunction 
of the two parts. 
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Invariant 7.1 

1. if status. stat = ? then queue ^ e 

2. if status. stat = true then queue = e 

Proof 

By a simple inductive argument, it is easily proven that all reachable states of A D satisfy the 
two parts of the invariant, so we omit the proof here. At the lower levels of abstraction we will 
give examples of proofs of more interesting invariants. 

■ 

Below, we refer to this invariant by i" D . 

7.2.2 Safety 

To show that A D safely implements As, we show the existence of an image-finite backward 
simulation from A D to A s with respect to some invariants. However, before we can do this we 
need a few preliminary definitions and lemmas. 

Below we let g D be a queue at the D level, i.e., g D £ {Msg X Flag)* , and let q s be a queue at the 
S level, i.e., q s £ Msg* . 

Definition 7.2 (Explanation) 

Define an explanation from q s to g D to be any mapping / : dom(q s ) — ► dom(qv) that satisfies 
the following four conditions 

1. / is total 

2. / is strictly increasing 

3. \/i £ dom(qn) \ rng(f) : qn[i].flag = marked 

4. Mi £ dom(q s ) : q B [f(i)].msg = q s [i] 



Basically, if there exists an explanation from q s to g D , this means that q s can be obtained from 
qo by first deleting some of the marked elements of g D and then removing the flags from the 
remaining elements. 

Lemma 7.3 

Let f be an explanation from q s to g D . Then \q s \ < |g D |. 

Proof 

Suppose \q s \ > \qu\- Then it is impossible to find a mapping from dom(q s ) to dom(qv) that is 
total and strictly increasing, thus Conditions 1 and 2 of Definition 7.2 are violated. Hence, we 
can conclude \q s \ < |g D |. 
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Now, define #ok(?d) to be the number of eiements e of g D with e.flag = OK. Thus, formally 
#0K(to) = \q D \(Msg X {0K})| 

Lemma 7.4 

Let f be an explanation from q s to g D . Then \q s \ > #ok(?d)- 

Proof 

Suppose |g s | < #ok(?d)- Then Conditions 1 and 2 of Definition 7.2 give us that \rng(f)\ = 
|g s |(< #ok(?d)) 5 so there must exist indices i in g D such that qD[i\.flag = OK and i ^ rng(f). 
But this contradicts Condition 3 of Definition 7.2. Hence, we can conclude |g s | > #qk(?d)- 



We are now ready to define a relation _B DS over states(A D ) X states(A s ). In Lemma 7.11 below 
we prove that _B DS is an image-finite backward simulation from A D to A s . 

However, before we give the actual definition of B GS , it might be appropriate to discuss how 
to define a backward simulation in general. What states should be related? Let us give some 
guide-lines in terms of A D and A s in this example. 

Recall that a backward simulation is needed when an implementation postpones some non- 
determinism of the specification. The deletion of messages during a crash in A s can in A D be 
postponed until after recovery, which indicates that we need a backward simulation from A D to 
As. (It is impossible to find a forward simulation from A D to A s . See, e.g., [LV92] for details.) 
This situation is shown — in a simplified way — in the following picture. 



S level 



recover., 

'Ml3 "-«23 

lose^ 

lose recovers 

MO >-Ml2 "-«22 



lose 



recovers 

-Mil "-M21 



drop 



■S33 



mark recovers -^ drop 
D level s ° s i s 2 >-S32 



drop 



-S31 



The mark step of A D marks some messages, and after recovery some of the marked messages 
can be deleted by the nondeterministic drop steps. In this simplified example we assume that 
there are three ways of deleting messages, leading to states s 31 , s 32 , and S33. 1 In A s this scenario 
corresponds to lose having the "same" three ways of deleting messages, leading to states M n , 
m 12 , and m 13 , followed by recovery. 



When dealing with two levels of abstraction, we always let s range over the states of the concrete level and 
m over the states of the abstract level. 
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It seems fairly intuitive that _B DS should relate s 3i to u 2i for 1 < i < 3. But what about s 2 1 
Well, s 2 is the state right after A D has recovered, so it should be related to states after A s has 
recovered. Thus, we are down to u 2 i, u 22 , and u 23 . Now the point is that s 2 actually corresponds 
to all of these states. In some sense _B DS offers an explanation of the nondeterminism occurring 
after s 2 by saying that this nondeterminism corresponds to some previous nondeterminism of 
As, which has led to one of the states u 2 i, u 22 , or u 23 . 

To check that _B DS is a backward simulation from A D to A s we have, among other things, 
to verify that each step of A D corresponds to a sequence of steps of A s with the same trace. 
More specifically, consider, e.g., the step (s 2 , drop,s 32 ) of A D . According to Condition 3 of 
Definition 5.3, we have to verify that for each state of A s that is related to s 32 , here only u 22 , 
there exists a state u of A s such that there is a sequence of steps from u to u 22 with an empty 
trace (since drop is internal). But here we can just choose u to be u 22 . This makes the sequence 
of steps in A s empty which certainly has an empty trace. 

For Si we can use similar arguments and find that Si should be related to all of the states 
tin, M i2, an d Ui 3 . Now, consider the step (si, recover s , s 2 ) of A D . Again, we have to consider 
every state that is related to s 2 . Let this state be u 2i for some arbitrary 1 < i < 3. We then have 
to find some state u related to Si such that there is a sequence of steps from u to u 2i with the 
trace recover s . But here we just choose u = Uu, and since, for all 1 < i < 3, (uu, recover s , u 2i ) 
is a step of A s , we are done. 

Finally, of course, s should be related to u . 

The above example offers some guide-lines when defining backward simulations, and even though 
the real _B DS from A D to A s is more complicated — mainly because of the nondeterminism involved 
with the status and the connection between queue and status — the recipe is the same: 

To any state s of A D , we have to relate all states u of A s that could have resulted 
from some nondeterminism of A s that "corresponds" to nondeterminism that may 
happen after state s of A D . 

Of course, one has to use ones intuition about the safe I/O automata in question in order to 
identify the "corresponding" nondeterminism. 

_B DS can now be defined and motivated. 

Definition 7.5 (Image-Finite Backward Simulation from A D to A s ) 

If s G states(Av) and u G states(A s ), then define that (s, u) G -Bds if there exists an explanation 
/ from u. queue to s. queue such that the following conditions hold: 

1. u.rec s = s.rec s and u.rec r = s.rec r 

2. u. status G 

if s. status. flag = OK A (s. queue = e V (/ ast(s. queue)). flag = OK) then {s. status. stat} 
else {s. status. stat, false} 

3. if u. status = ? A s. queue ^ e then maxidx(s. queue) G rng(f) 

We say that an explanation from u. queue to s. queue is a valid explanation from u to s provided 
that Conditions 1-3 are satisfied. 
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Note, that (s,u) G -Bds iff there exists a valid explanation from u to s. 

The requirement that there has to be an explanation from u. queue to s. queue in order for 
(s, u) G -Bds is a generalization of the example above. Thus, all states u related to s have queues 
that can be obtained by deleting some marked messages from s. queue and removing the flags 
from the remaining elements. 

Condition 1 gives the straight-forward correspondence between the rec flags of A D and A s . 

Condition 2 deals with the status. In A D there are two ways of losing status (i.e., changing 
status. stat to false), and both situations are described in the specification of the drop steps of A D : 
either the element at the end of queue gets deleted, in which case status must be lost, or status 
is marked, in which case status may be lost. Alternatively, we can say that if status. flag = OK 
and either queue is empty or its last element is OK, the status cannot be changed by a drop 
step. Thus, in this case we are not in a situation where A D is "waiting" to perform some 
nondeterminism on status, which has already been performed by A s . If, on the other hand, 
status is marked or the last element on queue is marked, drop may lead to loss of status, and 
this corresponds to a loss at the S level, which has already occurred in a lose step of S. Thus, 
in this situation _B DS should allow the corresponding state at the S level to have status = false. 
This explains Condition 2. 

Finally, Condition 3 in the definition of _B DS is a consistency condition between the explana- 
tion / and the value chosen for u. status. The condition should intuitively ensure that whenever 
the last element of s. queue is not in the range of /, i.e., when / states that u describes a situ- 
ation where the last element of queue has been lost, then u. status must reflect this by having 
the value false. Thus, the condition should limit the number of legal combinations of u. queue 
and u. status due to the fact that these values are not always independent. The condition could 
initially be written as 

if s. queue /eA maxidx(s. queue) ^ rng(f) then u. status = false 

Taking the contrapositive of this condition gives us 

if u. status ^ false then s. queue = e V maxidx(s. queue) G rng(f) 

Now, if u. status = true then Condition 2 gives us that also s. status. stat = true. Invariant 7.1 
Part 2 then implies that s. queue is empty. Thus, if u. status = true, the condition is trivially 
satisfied. So we only need to deal with the case where u. status = ? and this is exactly Condition 
3 of the definition in a slightly rewritten form. 

Note, that in defining _B DS we have used our intuition about A s and A-q. It is not at all sure that 
a first attempt to define a simulation relation is correct. However, any errors in the definition 
will be caught in the subsequent simulation proof and lead to a revised definition, and so on. 
For instance, the consistency condition (Condition 3) in the definition of _B DS was added during 
a proof attempt that failed. In Lemma 7.11 below we prove that _B DS is in fact an image-finite 
backward simulation from A D to A s . 

The following lemmas make the main simulation proof shorter. 

Lemma 7.6 

Let s G states(Av) and q G Msg* such that there exists an explanation from q to s. queue. Then 
there exists a state u G states(A s ) with u.rec s = s.rec s , u.rec r = s.rec r , u. queue = q, and 
(s,u) G -Bds- 
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Proof 

Let / be an arbitrary explanation from q to s. queue and let u.rec s = s.rec s , u.rec r = s.rec r , 
and u. queue = q. We must show that we can define u. status such that Conditions 1-3 of 
Definition 7.5 are satisfied. 

Condition 1 is trivially satisfied. 

We now consider cases, in each case defining u. status and showing that Conditions 2 and 3 are 
satisfied. 

1. s. queue = e 

Define u. status = s. status. stat. Then Conditions 2 and 3 are vacuously satisfied. 

2. s. queue ^ e 

(a) (/ ast(s. queue)). flag = marked 

Define u. status = false. This satisfies Conditions 2 and 3, the latter vacuously. 

(b) (/ ast(s. queue)). flag = OK 

Define u. status = s. status. stat. Then Condition 2 is vacuously satisfied. 
Now, assume that maxidx(s. queue) ^ rng(f). Then Condition 3 of Definition 7.2 of 
an explanation says that s.queue[maxidx(s. queue)]. flag = marked which is the same 
as (last(s. queue)). flag = marked, but this contradicts the assumptions in this sub- 
case. Hence we have that maxidx(s. queue) £ rng(f). Thus Condition 3 is satisfied. 



Now, define the total function maxqueue : (Msg X Flag)* — ► Msg* such that for any queue 
g D in the domain, maxqueue (qo) is defined to be the queue q s obtained by removing all flag 
components from g D . Formally, we have 

q s = maxqueue (qn) iff \qs\ = \qu\ an d \/i £ dom(qv) : qs[i] = qT>[i\.msg 

Lemma 7.7 

The identity mapping f from dom(qv) to dom(qv) is an explanation from maxqueue(qv) to g D . 

Proof 

We check Conditions 1-4 of Definition 7.2 of an explanation. Since the identity mapping is both 
total and strictly increasing Conditions 1 and 2 are satisfied. Condition 3 is vacuously satisfied 
since rng(f) = dom(qv). From the definition of maxqueue we directly see that also Condition 4 
is satisfied. 



Lemma 7.8 

Lets £ states(Av). Then there exists a state u £ states(A s ) with u.rec s = s.rec s , u.rec r = s.rec r 
and u. queue = maxqueue (s. queue), such that (s,u) £ -Bds- 
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Proof 

Let q s = maxqueue(s. queue). Then by Lemma 7.7 there exists an explanation (namely the 
identity mapping) from q s to s. queue. Lemma 7.6 then gives us the existence of a state u with 
u.rec s = s.rec r , u.rec r = s.rec r , and u. queue = q s such that (s,u) G -Bds- That suffices. 



Corollary 7.9 

Let s G states(Av). Then there exists a state u G states(A s ) such that (s,u) G -Bos- 
Proof 

Immediate from Lemma 7.8. 
■ 

We state the following trivial lemma without proof. 

Lemma 7.10 

Let g D be an element of (Msg X Flag)*. Then, any element q s of Msg* , such that there exists 
an explanation from q s to g D , can be obtained from maxqueue(qv) by deleting some elements. 



We can now state and prove the main result of this section, namely that the relation _B DS 
defined in Definition 7.5 is an image-finite backward simulation from A D to A s (with respect to 
io (Invariant 7.1) and true). The style of the proof is careful mathematical reasoning. 

Lemma 7.11 

^d <iB A s via B DS . 

Proof 

We prove that _B DS is an image-finite backward simulation from A D to A s with respect to i" D 
and true. We first show that _B DS is image-finite and then check the three conditions (which we 
call nonemptiness, base case, and inductive case, respectively) of Definition 5.3. 

Image-Finiteness 

Let s be an arbitrary state of A-q. We must show that there exists only finitely many states 
u of A s such that (s,u) G -Bds- Since rec s , rec r , and status can only take on finitely many 
values in A s these variables cannot give rise to problems. It now remains to be shown that for 
a fixed but arbitrary s also queue (in S) can only take on finitely many values. For (s,u) to 
be in _B DS there must exist an explanation from u. queue to s. queue. Lemma 7.3 gives us that 
\u.queue\ < \s.queue\, thus there are only a finite number of lengths to choose from (since s. queue 
is a finite queue). Also, there exists only a finite number of mappings (explanations) between 
two finite domains. Condition 4 of Definition 7.2 finally gives us that the elements of the possible 
u. queue values are uniquely determined by s. queue and the (finitely many) explanations. Hence, 
u. queue can only take on finitely many values given s. That suffices. 



98 7. Delayed-Decision Specification D 

Nonemptiness 

Corollary 7.9 immediately gives the result. 

Base Case 

Let s be the (unique) start state of A-q. Then if (s,u) £ -B D s, then u.rec s = s.rec s = false, 
u.rec r = s.rec r = false, u. status = s. status. stat = false (since s. status. flag = OK and s. queue = 
e), and u. queue = e (since the existence of an explanation from u. queue to s. queue and the 
fact that s. queue = e implies that u. queue = e.) Thus, u is the unique start state of A s . That 
suffices. 

Inductive Case 

Assume (s,a,s r ) £ steps(Av) such that s and s' satisfy i" D (Invariant 7.1), and let u' be an 
arbitrary state of A s such that (s' , u 1 ) £ -B D s- Below we consider cases based on a (and sometimes 
sub-cases of each case) and for each (sub)case we define a finite execution fragment a of A s 
with Istate(a) = u! , (s,fstate(a)) £ -Bds, an d trace(a) = trace(a). In this particular proof all 
execution fragments will be of length zero or one. Thus, in each (sub)case we will either 

• define an action b £ acts(A s ) and a state u £ states(A s ), such that (u,b,u r ) £ steps(A s ), 
(s,u) £ -Bds, an d trace(b) = trace(a), or 

• show that (s,u r ) £ -B D s and a is internal. 

In the former case, we show that (u,b,u r ) £ steps(A s ) by showing that all four state variables 
of A s are related in u and u' according to the definition of the b steps of A s . 

In the proof, when we refer to Conditions 1-3, we mean Conditions 1-3 of Definition 7.5 of -B D s 
unless otherwise specified. 

a = send_msg(m) 



In this case we show that we can define u such that (u,send_msg(m),u r ) £ steps(A s ) and 
(s,u) £ -B D s- Clearly the step has the right trace. 

We have s' .queue = s. queue " (to, OK) and s' .status = (?, OK). Lemma 7.4 implies u' . queue ^ e. 

Define u.rec s = s.rec s 
u.rec r = s.rec r 
u. queue = init(u' .queue) 

First we find an explanation from u. queue to s. queue. Let /' be a valid explanation from 
u' to s'. (Such a valid explanation exists since (s',u r ) £ -B D s)- Since last(s' .queue). flag = 
OK, we have from Lemma 7.4 and Conditions 1-3 of Definition 7.2 of an explanation that 
f'(maxidx(u' .queue)) = maxidx(s' .queue). Then f = fl \ dom(u. queue) is clearly an expla- 
nation from u. queue to s. queue. 

Now, by Lemma 7.6, define u. status such that (s,u) £ -B D s- 

It remains to show that (u,send_msg(m),u r ) £ steps(A s ): 

rec s and rec r : 
From the definition of the send_msg(m) steps of A D , the definition of u, and the fact that 
(s',u r ) £ -B D s, we have that u' .rec s = s' .rec s = s.rec s = u.rec s and correspondingly for rec r . 
This is as required by the definition of the send_msg(m) steps of A s . 
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status: 
Since (s',u r ) £ -Bds, Condition 2 implies that u' .status = ?. No matter what the value of 
u. status is, this is as required by the definition of the send_msg(m) steps of A s . 

queue: 
We have u! .queue ^ e (by Lemma 7.4) and last(u' .queue) = m (by use of Definition 7.2 of 
an explanation). Then, by definition, we have u' .queue = init(u'. queue) " last(u' .queue) = 
u. queue " m. Again, this is as required by the definition of the send_msg(m) steps of A s . 

a = crash. 



Define u.rec s = s.rec s 

u.rec r = ul ' .rec r 

u. status = u' .status 

u. queue = u! .queue 

Then it is easy to see that (s,u) £ _B DS (any valid explanation from u! to s' is also a valid 
explanation from u to s) and that (u, crash s ,u r ) £ steps(A s ). 

a = crash r 



Similar to the case a = crash s . 

a = receive _msg(m) 

In this case we define u such that (u, receive _msg(m),u r ) £ steps(A s ) and (s,u) £ -Bds- Clearly 
the step has the right trace. 

From the definition of the receive _msg(m) steps of A D we have that s.rec r = s' .rec r , s.rec s = 
s'.rec s , s. queue ^ e with (head(s. queue)). msg = m and s' .queue = tail(s. queue). 

Define u.rec s = s.rec s 
u.rec r = s.rec r 
u. queue = m" u! '.queue 

We first find an explanation from u. queue to s. queue. Let /' be any valid explanation from u' 
to s' (we know it exists), and define / in the following way: 

f=[(i+l)» (f(i) + 1) \i £ dom(f')] U [0 » 0] 

Intuitively / relates the same elements in u. queue and s. queue that were related by /' in u' .queue 
and s' .queue (these elements all have their indices increased by one because of the new elements 
at the head of the queues), and relates these new messages m. Based on the fact that /' is an 
explanation from u! .queue to s 1 ' .queue , it is easy to check that / is an explanation from u. queue 
to s. queue. 

We consider cases, in each case defining u. status, showing (s,u) £ B GS by showing that Condi- 
tions 2-3 hold (Condition 1 clearly holds) and showing that (u, receive _msg(m),u r ) £ steps(A s ). 
For the latter part it is easy to see that a receive _msg(m) step is enabled in u and that rec s , 
rec r and queue are handled correctly. So all we need to do is to show that also status is handled 
correctly in the receive _msg(m) step of A s . 
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1. s. status. stat = true 

Invariant 7.1 Part 2 implies that this situation cannot occur. 

2. s. status. stat = false 
Define u. status = false. 

Then clearly (s,u) £ -Bds (Conditions 2 and 3 are vacuously satisfied) 

status: 
Since s. status. stat = false, we have s' .status = s. status, so u! .status = false. Leaving 
status = false unchanged is permitted by the definition of the receive _msg(m) steps in 
A s . 

3. s. status. stat = ? 

(a) u'. queue ^ e 

Then also s' .queue ^ e (by Lemma 7.3) so from the definition of receive _msg(m) in 

A^ we have s' .status = s. status. 

Define u. status = u' .status. 

Condition 2: 
Since (s',u r ) satisfies Condition 2, also (s,u) satisfies that condition. (Neither the 
emptiness of queue, status .flag , nor the flag of the last element in queue are changed 
in the step in A D ). 

Condition 3: 
Assume that u.status(= u' .status) = ?. Since s. queue ^ e, we must show that 
maxidx(s. queue) £ rng(f). Since s' .queue ^ e, and (s',u') and /' satisfy Condition 
3, we have maxidx(s' .queue) £ rng(f'), so from the construction of /, it is easy to 
see that maxidx(s. queue) £ rng(f). 

status: 
Leaving status unchanged is as required by the definition of receive _msg(m) in A s 
since we assume that u! .queue ^ e. 

(b) vl .queue = e 

i. s' '.queue = e 

Then the definition of receive _msg(m) in A D implies that s' .status. stat = true and 
s'. status. flag = s. status. flag. Then, by definition of _B DS , u' . status is either true or 
false. We consider cases. 

A. s' .status. flag = OK or (s' .status. flag = marked and u' . status = true) 

If s' .status, flag = OK, then by Condition 2 we also have vl .status = trve since 

s' .status, stat = true. 

Define u. status = ? (= s. status. stat). 

Condition 2: 
Vacuously satisfied by (s,u). 

Condition 3: 
Since s' .queue = e, we have \s.queue\ = 1. Now, since /(0) = 0, we have 
maxidx(s. queue) £ rng(f) as required. 

status: 
Changing status from ? to true when vl .queue = e is as required by the defi- 
nition of receive _msg(m) in A s . 

B. s' .statvs.flag = marked and vl .status = false 
Define u. status = false. 

Condition 2: 
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Since s. status. flag = s' .status. flag = false, we have that (s,u) satisfies Condi- 
tion 2. 

Condition 3: 
Vacuously satisfied. 

status: 
Leaving status = false unchanged is allowed by receive _msg(m) in A s . 

ii. s' . queue ^ e 

The definition of receive _msg(m) in D implies s'. status. stat = s. status. stat = ? 
and s' .status. flag = s. status. flag. Since u'. queue = e, s' . queue ^ e, and (s',u r ) 
and /' satisfy Condition 3, we get that u! .status ^ ? (/' must be empty). Note, 
that this is one of the two places in the entire proof where we need the consistency 
condition (Condition 3). Condition 2 now gives us that u' .status = false and that 
either s' .status. flag = marked or (last(s' .queue)). flag = marked. 
Define u' .status = false. 
Condition 2: 

Since s. status. flag = s' .status. flag, (I ast(s' .queue)). flag = (last(s. queue)). flag, 

and one of these flag values is marked, we see that (s, u) satisfies Condition 2. 
Condition 3: 

Vacuously satisfied. 
status: 

Leaving status = false unchanged is allowed by the definition of receive _msg(m) 

in A s . 

a = ack(b) 



In this case we define u such that (u, ack(b),u r ) £ steps(A s ) and (s,u) £ -Bds- Clearly the step 
has the right trace. 

From the definition of ack(b) in A D , we have that s. status. stat = b and that s' = s except that 
s' and s may differ on the value of status. flag, which is set to OK in the step. 

We consider cases based on the value of b. 

1.6 = false 

Then u! .status = false. 

Define u = u! . 

It is now easy to see that (s,u) £ -Bds- (The fact that s and s' may differ on the value of 

status. flag could only cause troubles in Condition 2 but this is seen not to be the case since 

s. status. stat = false implies that the only choice for u. status is false as we have defined it 

to be.) 

Now, since u! = u, we have u. status = false, Thus, an ack(b) step is enabled in u. Again 

since u = u', we now see that (u, ack(b), u') is a step of A s as required. 

2. b = true 

Since s. status. stat = s'. status. stat = true, Invariant 7.1 Part 2 gives us that s' . queue = e 

and s. queue = e. Furthermore, since s' .status. flag = OK, we get from Condition 2 that 

u' . status = true. 

Define u = u! . 

As in the previous case clearly (s,u) £ _B DS and (u, ack(b),u r ) £ steps(A s ). 
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a = recover s 

Define u.rec s = false 

u.rec r = u'.rec r 

u. status = u! .status 

u. queue = u! . queue 

Since u.rec s = s.rec s = false, it is easy to see that (s,u) £ _B DS (any valid explanation from u! 
to s' is also a valid explanation from u to s) and that (u, recover s ,u') £ steps(A s ) (and clearly 
has the right trace). 

a = recover,. 



Similar to the case a = recover s . 

a = mark(T) 

In this case we define u and I' such that (u, lose(I'),u') £ steps(A s ) and (s,u) £ -Bds- Clearly 
the step has the right trace (the empty trace). 

From the definition of the mark steps in A D we have s' .rec s = s.rec s , s' .rec r = s.rec r , and either 
s.rec s = true or s.rec r = true. 

Define u.rec s = s.rec s 

u.rec r = s.rec r 

u. queue = maxqueue(s. queue) 

u. status = s. status. stat 

By Lemma 7.7 the identity mapping / is an explanation from u. queue to s. queue, and it is easy 
to show that / is a valid explanation from u to s. Thus, (s, u) £ -Bds- 

To show that (u,lose(I'),u r ) £ steps(A s ), we first observe that since (s,u) £ B GS we have 
u.rec s = true or u.rec r = true, so a lose(I') step is enabled in u. 

rec s and rec r : 
vl .rec s = s' .rec s = s.rec s = u.rec s and similarly for rec r . This is as required by the definition 
of lose(I') in A s . 

queue: 
First observe that maxqueue(s. queue) = maxqueue(s' .queue). Then, since by definition we 
have u. queue = maxqueue(s. queue), Lemma 7.10 implies that vl .queue can be obtained from 
v.qveve by deleting some (possibly zero) elements. Thus, we can define I' accordingly, and 
this is as required by the definition of lose(I') in A s . 

statvs: 
First note that since we might have s' .statvs. flag = marked, we also might have u'. status = 
false by Condition 2, but since lose(I') can always change status to false in As, this situation 
does not cause troubles. 

The situation that could cause troubles is if u' .status ^ false but the lose(I') step is required 
to change status to false because the element at the end of u. queue must be deleted in order 
to treat queue correctly. We must show that this situation is impossible. 

Assume that vl .status ^ false. Then Condition 2 and the definition of mark (I) in A D give 
vl .statvs = s'. status, stat = s. status, stat ^ false. We consider cases. 
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1. u'. status = s'. status. stat = s. status. stat = true. 

Invariant 7.1 Part 2 implies s. queue = s' . queue = e. Then Lemma 7.3 implies that 
u. queue = u! .queue = e. Thus I' = 0. That suffices. 

2. u' .status = s'. status. stat = s. status. stat = ?. 

(a) s. queue = e 
Similar to Case 1. 

(b) s. queue ^ e 

Then Condition 3 and Definition 7.2 imply f(maxidx(u. queue)) = maxidx(s. queue). 
It is now easy to see that u! .queue can be obtained by deleting some elements, but 
not the element at the end, from u. queue. That suffices. 

a = unmark(I) 

In this case we show that unmark(I) in A D corresponds to an empty step in A s (remember that 
unmark(I) is internal). Thus, we show that (s,u') G -Bds- 

From the definition of the unmark(I) steps of A D , we have that s' .queue is obtained from s. queue 
by changing some (maybe zero) flag values from marked to OK. Now, let /' be a valid explanation 
from u' to s' . Then by Definition 7.2 it is easy to see that /' is also an explanation from u' .queue 
to s. queue. (The only interesting case is Condition 3 of Definition 7.2 but since messages that 
are marked in s' . queue cannot be OK in s. queue, this case is easily checked). 

We show that /' is a valid explanation from u' to s by checking Conditions 1-3. 

Condition 1: 
This condition is satisfied since the unmark(I) step does not change rec s and rec r . 

Condition 2: 
The unmarking of status and message flags might lead to the requirement that u! .status = 
s'. status. stat (by Condition 2). But then obviously also (s,u') satisfies Condition 2 since both 
the "then" and the "else" in this condition allow u! .status = s. status. stat(= s' .status. stat). 
The important thing to note here is that unmark(I) cannot lead from a situation where the 
"then" clause must be chosen to a situation where the "else" clause must be chosen. 

Condition 3: 
Since Condition 3 does not mention any flag values, it is seen that (s,u') and /' satisfy this 
condition. 

a = drop(I) 

In this case we show that drop corresponds to an empty step of As, i.e., that (s, u r ) £ _B DS (recall 
that drop(I) is internal). 

Let /' be an arbitrary valid explanation from u' to s' . We now construct an explanation / from 
u! .queue to s. queue: I contains the indices of the elements of s. queue that were deleted in the 
drop(T) step. Then \dom(s' .queue)\ = \dom(s. queue) \I\. Now, let g be the (unique) bijective, 
strictly increasing mapping from domes' .queue) to dom(s. queue) \ I. Informally g maps indices 
of elements in s' . queue to the indices the same elements had in s. queue. 

Define f = g o f . To check that / is an explanation from u' . queue to s. queue, we check 
Conditions 1-4 of Definition 7.2: 

Conditions 1-2 of Definition 7.2: 
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Since /' is total and strictly increasing from dom(u' .queue) to domes' .queue) and g is total and 
strictly increasing from domes' .queue) to dom(s. queue) \I, f is total and strictly increasing 
from dom(u' .queue) to dom(s. queue). 

Condition 3 of Definition 7.2: 
We have that dom(s. queue) \ rng(g o f) = I U g~ 1 (dom(s' .queue) \ rng(f')). This informally 
states if an element of s. queue is not "hit" by / then this is because either the element is 
one of the elements that are deleted in the drop(T) step or because the "corresponding" (by 
g) element in s' .queue is not "hit" by /'. Now, all elements in s. queue with indices in / are 
marked (by the precondition of drop(I)). Since /' is an explanation, all elements of s'. queue 
with indices in domes' .queue) \ rng(f') are marked, and since g and then also g _1 maps the 
index of an element to the index of the same element, we have that all elements of s. queue 
with indices in g~ 1 (dom(s' .queue \ rng(f'))) are marked. That suffices. 

Condition 4 of Definition 7.2: 
By the fact that /' is an explanation (and therefore satisfies Condition 4) and the fact that 
g maps the index of an element to the index of the same element, it directly follows that / 
satisfies Condition 4 of Definition 7.2. 

Thus, / is an explanation from u' . queue to s. queue. 

It now remains to show that / is a valid explanation from u' to s, i.e., we must check Conditions 
1-3. 

Condition 1: 
Condition 1 is clearly satisfied (since neither rec s nor rec r are changed in the drop(T) step and 

(s',u')eB DS ). 

Condition 2: 
We consider the ways status can change in the if-statement in the definition of the drop(T) 
step. 

Assume that the element at the end of s. queue is deleted in the drop(T) step. Then s' .status = 
(false, OK) which implies u' . status = false. But in order to be able to delete the element at the 
end of s. queue we have that s. queue ^ e and (I ast(s. queue)), flag = marked, so (s,u') satisfies 
Condition 2. 

Then assume that the element at the end of s. queue is not deleted but that u! . queue is 
changed to (false, OK) since s. status. flag = marked. Again we have u' . status = false, and since 
s. status. flag = marked, we have that (s,u r ) satisfies Condition 2. 

The last possibility is that status is not changed at all in the drop(T) step, but then obviously 
(s,u r ) satisfies Condition 2 since (s',u r ) satisfies it. 

Condition 3: 
Assume u' .status = ? and s. queue ^ e. Since u' .status = ? we must have s'. status. stat = ? 
and then from the definition of the drop (I) step we infer s. status = s'. status. 
Then the element at the end of s. queue is not deleted in the drop(T) step (i.e., maxidx(s. queue) ^ 
I) since otherwise s' .status = (false, OK). Thus, also s' .queue ^ e. Since /' is a valid explana- 
tion from u' to s' , Condition 3 gives us maxidx(s' .queue) £ rng(f'), and since maxidx(s. queue) ^ 
/ we must have g(maxidx(s' .queue)) = maxidx(s. queue) since otherwise g could not be bijec- 
tive and strictly increasing. All in all we get maxidx(s. queue) £ rng(f), as required. 

This concludes the simulation proof. 
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We can now prove that A D safely implements A s . 

Theorem 7.12 (A D safely implements As) 

A D Es A s 

Proof 

Directly by Lemma 7.11 and the soundness of image-finite backward simulations with respect 
to the safe implementation relation (Lemma 5.8). 



7.2.3 Correctness 

Before we can prove the main theorem of this chapter — that D is a correct implementation of 
S — we need to prove some basic lemmas about S and D. In the remainder of this chapter we 
use the following abbreviations. 

SM = {send_msg(m) \ m £ Msg} 
RM = {receive _msg(m) \ m £ Msg} 

From the safe I/O automata A s and A D we get the following lemmas. 

Lemma 7.13 

A s |= n(n(status e Bool) =>• n-,(SM)) 

Proof 

Immediate from the definition of A s since any send_msg(m) step would change status to ?. 



Lemma 7.14 

1. A D |= n(n-,(SM) =>• n(\queue°\ < \queue\)) 

2. A D |= a((RM) =>• \queue°\ = \queue\ - 1) 

Proof 

Immediate from the definition of A D since only send_msg(m) steps can add elements to queue, 
and receive _msg(m) steps remove one element from queue. 



The following two lemmas prove properties of live executions of D. The lemmas deal with live 
executions where, from some point on, no send_msg(m) actions occur and neither the sender nor 
the receiver is in recovery phase. Then, in the first lemma, we prove that eventually elements will 
be removed from queue, which, in the second lemma, is used to prove that queue is eventually 
emptied. 

The proofs of the lemmas introduce the way we write structured proofs of temporal properties 
of our systems. The proof style is due to Lamport. The following description is taken from 
[AL92b]: 
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We use hierarchically structured proofs. The theorem to be proved is statement 
(0)1. The proof of statement (i)j is either an ordinary paragraph-style proof or the 

sequence of statements (i + 1)1, (i + 1)2, . . .and their proofs Within a proof, 

(k)l denotes the most recent statement with that number. A statement has the form 

Assume: Assump Prove: Goal 

which is abbreviated to Goal if there is no assumption. The assertion Q.E.D. in 
statement number (i + l)k of the proof of statement (i)j denotes the goal of statement 
{i)j- The statement 

Case: Assump 

is an abbreviation for 

Assume: Assump Prove: Q.E.D. 

Within the proof of statement {i)j, Assumption (i) denotes that statement's assump- 
tion, and Assumption (i).k denotes the assumption's k th item. 

Lemma 7.15 

L B \= Mk : n(n(-,(SM) A rec s = false A rec r = false) =>- 
((\queue\ = k A k > 0) ~~» \queue\ < k)) 

Proof 

Assume: a e L b 

Prove: a \= Mk : □(□(-.(S'M) A rec s = false A rec r = false) =>• 
((\queue\ = k A k > 0) ~~» \queue\ < k)) 

(1)1. Assume: k > 

Prove: a \= D(D(-i(5'M) A rec s = false A rec r = false) =>• 
((\queue\ = k A k > 0) ^ \queue\ < A;)) 

(2)1. Assume: o^ is an arbitrary suffix of a 

Prove: a x |= □(-.(5M) A rec s = /a/se A rec r = /a/se) =>• 
((\queue\ = k A A; > 0) ~~» \queue\ < A;) 

(3)1. Assume: ai |= □(-i(5'M) A rec s = false A rec r = false) 
Prove: ai |= (|gwewe| = A; A A; > 0) ~~» \queue\ < A; 

(4)1. ai |= D-,(5'M) =>• n(|g M eMe°| < |gMewe|) 

Proof: By Lemma 7.14 Part 1, Lemma 3.5 Part 1 and Rule Par. 
(4)2. o?! |= O(\queue \ < \queue\) 

Proof: By (4)1, Assumption (3), and Rule MP. 
(4)3. cii |= 0((\queue\ = k A k > 0) ==?■ (\queue\ = k W \queue\ < k)) 

Proof: By (4)2. 
(4)4. a \= WF(RM, rec s = false A rec r = false) 
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Proof: By proof assumption (a £ i D ) and definition of Q D , which 
induces i D . 

(4)5. a \= DO-.(rec s = false A rec r = false A \queue\ > 0) V nO(RM) 

Proof: By (4)4, the definition of WF, and noting that enabled(RM) = 
(\queue\ > 0). 

(4)6. a x |= DO-.(rec s = false A rec r = false A \queue\ > 0) V □ O(.RM) 

Proof: By (4)5, Lemma 3.5 Part 1, and definition of disjunction. 

(4)7. ct-Y |= 0-i(rec s = /a/se A rec r = false A |gwewe| > 0) V O(RM) 

Proof: By (4)6, Rule Par, and the definition of disjunction. 

(4)8. ct-Y |= U{rec s = false A rec r = false A \queue\ > 0) =>• 0(RM) 

Proof: By rewriting (4)7. 

(4)9. ax \= a(\queue\ > 0) =>• O(RM) 

Proof: By Assumption (3), (4)8, and Rule MP. 

(4)10. cii |= (\queue\ = k A (RM)) ^ \queue\ < k 

Proof: Implied by Lemma 7.14 Part 2. 

(4)11. Q.E.D. 

Proof: By (4)3, (4)9, (4)10, and Rule Pro2. 

(3)2. Q.E.D. 

Proof: By (3)1 and the definition of implication. 

(2)2. Q.E.D. 

By (2)1 and Lemma 3.5 Part 2. 

(1)2. Q.E.D. 

Proof: By (1)1 and Lemma 3.5 Part 5. 



Lemma 7.16 

L D \= □(□(-.(S'M) A rec s = false A rec r = false) =>• <>U(queue = e)) 

Proof 

Assume: a e L b 

Prove: a \= □(□(-i(5'M) A rec s = false A rec r = false) =>• <>n(queue = s)) 

(1)1. Assume: a x is an arbitrary suffix of a 

Prove: a x |= □(-■(5'M) A rec s = false A rec r = false) =>• <>n(queue = s) 

(2)1. Assume: a x |= □(-■(5'M) A rec s = false A rec r = false) 
Prove: a x |= <>n(queue = s) 

(3)1. cii |= \/k : ((|gMewe| = k A A; > 0) ~~» \queue\ < A;) 
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Proof: By Lemma 7.15, Lemma 3.5 Parts 1, 5, and 6, and Rules Par and 
MP. 

(3)2. a x |= Mk : (k > =>• 3k' : (k' < k A (|gwewe| = k^ \queue\ = k'))) 

Proof: By (3)1 and Lemma 3.5 Part 7. 
(3)3. cii |= 0(|gwewe| = 0) 

Proof: By (3)2 and Rule Prol. 
(3)4. a x |= D-,(5'M) => U(\queue°\ < \queue\) 

Proof: By Lemma 7.14 Part 1, Lemma 3.5 Part 1 and Rule Par. 
(3)5. cii |= O(\queue \ < \queue\) 

Proof: By (3)4, Assumption (2), and Rule MP. 
(3)6. ai \=\/k : 0(\queue\ = k =>■ (\queue\ = k W \queue\ < k)) 

Proof: By (3)5. 
(3)7. cii |= ndgMeMel = =^ (\queue\ = W \queue\ < 0)) 

Proof: By (3)6 and Lemma 3.5 Part 6. 

(3)8. a x |= n(\queue\ = => n(\queue\ = 0)) 

Proof: By (3)7, the fact that \queue\ < is always false, and the definition 
of D. 

(3)9. oi |= Oa(\queue\ = 0) 

Proof: By (3)3, (3)8, and Rule MP1. 

(3)10. Q.E.D. 

Proof: Directly by (3)9. 

(2)2. Q.E.D. 

Proof: By (2)1 and definition of implication. 

(1)2. Q.E.D. 

Proof: By (1)1 and Lemma 3.5 Part 2. 



An important advantage of this way of writing structured proofs of temporal properties is that 
at a first reading, one can concentrate on the first outermost levels of the proof. Once that has 
been understood, the details at lower levels can be considered. 

The next lemma contains the main part of the proof that D correctly implements S. It 
states that for any i? DS -related executions of A D and As, if the execution of A D satisfies Q D (the 
temporal formula which induces the liveness condition I D ), then the execution of A s satisfies 
Q s (the temporal formula which induces the liveness condition L s ). The proof will be a proof 
by cases based on a proof by contradiction: if we assume the execution of A s is not live, this 
means that the execution does not satisfy one of the weak fairness formulas in the definition of 
Q s . By considering the weak fairness formulas one by one and deriving a contradiction in each 
case, the result follows. 
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Lemma 7.17 

Let a G exec(Av) and a' G exec(A s ) be arbitrary executions of A^ and A s , respectively, with 
(a, a') G _B DS . Assume a \= Q D . Then a' \= Q s . 

Proof 

We prove the conjecture by contradiction. Thus, 

Assume: a 1 \£ Q s 
Prove: False 

(1)1. a' \= -i WF(C SA , rec s = false A rec r = false) V 
-i WF{Cs,2i rec s = false A rec r = false) V 
~-WF(C Si3 )V 
^WF(C SA ) 
Proof: Immediate by the Assumption, definition of Q s , and the Boolean operators. 
(1)2. Case: a' \= ->WF(C St i,rec s = false A rec r = false) 

(2)1. a' \= On-i(C s ,i) A OD(rec s = false A rec r = false A status G Bool) 

Proof: From Case Hypothesis (1) by expanding WF and noting the fact that 
enabled As (C's t i) = (status G Bool). 

(2)2. a' \= OD-.(C s ,i) A On-,(SM) A On(rec s = false A rec r = false A status G Bool) 

Proof: By (2)1, Lemma 7.13, and MP1. 

(2)3. a \= OD-.(C s ,i) A Oa^(SM) A Oa(rec s = false A rec r = false) 

Proof: By Lemmas 5.10 and 5.11 since C's t i consists of external actions and Defini- 
tion 7.5 of _B DS implies that for all (s, u) G -Bds, if m |= (rec s = false A rec r = false) 
then s \= (rec s = false A rec r = false). 

(2)4. a |= On-i(C s ,i) A OD(rec s = false A rec r = false A queue = s) 

Proof: By (2)3, Lemma 7.16, and MP1. 
(2)5. a \= On-i(C s ,i) A OD(rec s = false A rec r = false A status G Bool) 

Proof: By (2)4 and Invariant 7.1 Part 1. 

(2)6. a \= -i WF(Cn y i, rec s = false A rec r = false) 

Proof: By (2)5, the definition of WF, the fact that C S) i = C D) i and the fact that 
enabled A u (Cn y i) = (status G Bool). 

(2)7. Q.E.D. 

Proof: By (2)6, the assumption that a \= Q D , and the definition of Q D . 

(1)3. Case: a' \= -^WF(C St2 ,rec s = false A rec r = false) 

(2)1. a' \= (On-i(Cs, 2 ) A Oa(rec s = false A rec r = false A queue ^ s)) 

Proof: By expanding WF and noting that enabled a s (Cs ,2) = (queue ^ e). 

(2)2. a |= On-i(Cs, 2 ) A Oa(rec s = false A rec r = false A queue ^ s) 

Proof: By Lemmas 5.10 and 5.11 since Cs,2 consists of external actions and Defini- 
tion 7.5 of _B DS and Lemma 7.3 imply that for all (s, u) G -Bds, if m |= (rec s = false A 
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rec r = false A queue ^ e) then s \= (rec s = false A rec r = false A queue ^ e). 
(2)3. a \= -i WF{C-D t 2i rec s = rec r = false) 

Proof: By (2)2, the definition of WF , the fact that C S)2 = C D)2 and the fact that 
enabled a u (Cu ,2) = (queue ^ e). 
(2)4. Q.E.D. 

Proof: By (2)3, the assumption that a \= Q D , and the definition of Q D . 
(1)4. Case: a 1 \= -.WF(C S , 3 ) 
(2)1. Q.E.D. 

Proof: Similar to Case (1)3. 
(1)5. Case: a' \= -.WF(C S , 4 ) 
(2)1. Q.E.D. 

Proof: Similar to Case (1)3. 
(1)6. Q.E.D. 

Proof: By (1)1 and the exhaustive cases (1)2— (1)5. 
■ 

Finally, we can prove that D correctly implements S. 

Theorem 7.18 

DC L S 

Proof 

Immediate from Lemmas 7.11, 7.17, and 5.9. 



The total proof of correctness of D has been partitioned into three parts. First, some invariants 
were proved. Then, a relation was defined and proved to be an image-finite backward simulation 
from A^ to A s . Note, that it is usually during the simulation proof that one realizes which 
invariants are needed. Thus, when performing the proof there is usually not this clear distinction 
between defining invariants and proving the simulation result, but for presentation purposes, we 
make the split. 

The third and final part of the proof is the liveness proof which, in conjunction with the 
simulation proof, allows us to conclude correctness. In the proofs at lower levels of abstraction, 
the same partition into three parts is found. 



The Generic Protocol G is defined and proved correct in the next chapter. 



Chapter 8 

The Generic Protocol G 



We can now start to introduce a more distributed view of the system. Both low-level protocols 
H and C consist of several parallel components: a sender, a receiver, two channels connecting 
the sender and receiver, and, for C, a clock subsystem. The G level consists of three parallel 
processes: a sender /receiver process and two channels. This is depicted in Figure 8.1. The 
sender/receiver process of G can intuitively be viewed as "partly" distributed. It contains state 
variables which are intuitively manipulated by a sender part of the sender/receiver process 
and state variables which are intuitively manipulated by a receiver part. However, some state 
variables are manipulated by both the sender part and the receiver part of the sender/receiver 
process. These "centralized" variables describe aspects which will be implemented differently 
by H (using handshakes) and C (using timing assumptions). The "distributed" variables, on the 
other hand, will basically reoccur in both H and C, and will be manipulated similarly in G, H, 
and C . 

Thus, we have developed G to be as distributed as possible according to H and C, and to 
contain an abstract handling of the crucial aspects of choosing good identifiers, where H and C 
use different methods. By looking a little bit forward at H and C, we can make the following 
more detailed introduction to G: 

As mentioned in Chapter 1, solutions to the at-most-once message delivery problem work by 
tagging each message with a unique identifier and sending it repeatedly over the channel. The 
receiver will only accept messages which are marked with "good" identifiers. 

Thus, the two protocols H and C both go through three major phases during normal opera- 
tion. 
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Figure 8.1 

The Generic Protocol G. 
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Choosing a message identifier The sender picks an identifier id that is within the set of 
identifiers that the receiver is willing to accept. In C time bounds are used to choose a 
good identifier; in H an initial handshake between the sender and the receiver is used. 

Sending the message and getting acknowledgement This phase is similar in both H and 
C. The sender (re)transmits the current message with the chosen id, until it receives an 
acknowledgement packet for that id. 

Cleaning up Here again, C uses time bounds (in particular timeouts) whereas H uses a hand- 
shake to determine when some "old" information may be discarded. 

Our Generic Protocol G is designed to capture these three phases in an abstract way that both H 
and C implement. The key abstractions incorporated into the protocol G are two "centralized" 
variables, good s and good r . The variable good s represents the identifiers that the sender might 
shortly assign to messages, and good r represents the identifiers that the receiver is willing to 
accept. Four actions of G deal with "growing" and "shrinking" good s and good r , respectively. 

The preconditions of the grow and shrink actions are designed to preserve certain key invari- 
ants. We actually allow more freedom in these actions than is actually needed by H and C. This 
leaves open the possibility that other low-level protocols, other than H and C, can be proved to 
be correct implementations of G. 

The rest of this chapter is organized as follows. Section 8.1 introduces the set of message 
identifiers. Section 8.2 then formally defines the channels in G. Then, in Section 8.3, we present 
the sender/receiver process, and in Section 8.4 we show how G is obtained from the subprocesses. 
Finally, in Section 8.5 we consider the proof that G correctly implements D. 

8.1 Message Identifiers 

In G and the lower level protocols we need a set of identifiers in order to label the messages 
communicated over the channels. In C the identifiers are timestamps ranging over the non- 
negative reals; in H the identifiers are just taken from some infinite set of elements. In G we 
use a set ID on which we place some constraints. When proving correct implementation for 
a lower-level protocol, ID is then instantiated with the set used at that lower level, and this 
set must satisfy the constraints on ID. Thus, G can be seen to be parameterized with ID. G 
correctly implements S for any proper value of ID; the low-level protocols correctly implement 
G for particular proper values of ID. The constraints on ID are: 

1. ID is infinite. 

2. nil ^ ID. We need nil as a special value. 

8.2 The Channels 

As depicted in Figure 8.1, the G level contains two channels: a channel Ch sr intuitively for 
sending packets 1 from the sender part to the receiver part of the sender/receiver process, and a 
channel Ch rs in the other direction (for acknowledgements). 



Here and elsewhere, we use the term "packet" to denote objects sent over the channels; we reserve the term 
"message" for the "higher-level", user-meaningful messages that appear, e.g., in the specification. 
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Below we specify the Ch sr channel as a live I/O automaton (Ach, sn L C h, sr )- The Ch rs = 
(A-ch, rs, L C h, rs) channel is similar and can be obtained from the definition of Ch sr by replacing 
the state variable sr by rs and actions send jpkt sr (p) and receive jpkt sr (p) by send _pkt rs (p) and 
receive _pkt rs (p). 

8.2.1 States and Start States 

Ch sr has only one state variable which contains the packets (including duplicates) currently in 
the channel. We let Ch sr be parameterized with a set P of possible packets. 



Variable 


Type 


Initially 


Description 


sr 


B(P) 





The packets (including duplicates) in the 
channel. 



8.2.2 Actions 

The channel only has two types of actions: send jpkt sr {p) , which represents the input of packet 
p from the environment, and receive jpkt sr (p) which represents the output of packet p from the 
channel. 

Input: 

send-pkt ST (p), p £ P 
Output: 

receive _pkt sr (p), p £ P 
Internal: 

none 

8.2.3 Steps 

The channel is not reliable. This means that it may remove or duplicate packets. We have 
chosen to model this unreliability at the time of a send jpkt sr {p) step. 

send_pkt ST (p) receive _pkt sr (p) 

Effect: Precondition: 

add a finite number of p to sr p £ sr 

Effect: 

sr := sr \ {p} (* remove one copy *) 

In the specification, "a finite number" could mean 0. Note, that we could have modeled the 
unreliability of the channel by having internal lose and duplicate actions which could remove 
or duplicate packets at any time. However, such a channel can be shown to be equivalent to 
our channel, so by our substitutivity results, we will be able to substitute the channels for each 
other. 

8.2.4 Liveness 

The receive _pkt sr (p) steps of A C h, sr allow all received packets to be lost. With such a channel we 
cannot, of course, guarantee any liveness of the composed system, so we shall require that if we 
keep sending the same packet to the channel, then infinitely many will get through. Thus, if a 
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packet is sent infinitely often, then it is also received infinitely often. Furthermore we impose the 
natural requirement that if a packet has succeeded in being put into the channel, then eventually 
it will be delivered. 

Then the liveness condition L C h, sr f° r the channel is induced by the following liveness formula: 

Qch, sr — Vp : nO(send-pkt sr (p)} =>- C\<> (receive _pkt sr (p)) A 
Vp : WF (receive jpkt sr {p)) 

We do not prove formally that Qch, sr is an environment-free liveness formula for A C h, sr - However, 
we provide some intuition by informally describing an environment-free strategy (g,f) for Ch sr 
(cf. Definitions 2.5 and 2.7): the g function of the strategy should on every input send _pkt sr (p) 
add one copy of p to sr. This means that when we are playing the game against the environment, 
whenever a send jpkt sr (p) input arrives, receive jpkt sr (p) will stay enabled at least until it is 
executed. 

The / function of the strategy, i.e., the function that determines the moves of the channel, 
should then work as follows: when the game commences after some finite execution, there 
are only finitely many packets in sr. The strategy can order these and use its first moves on 
outputting the packets. In the meantime send _pkt sr (p) actions occur. When the strategy has 
finished outputting initial packets it should start matching each send jpkt sr (p) action with a 
receive jpkt sr (p) action. Since / has access to the history of the game so far, it should simply at 
its first move after having output initial packets perform receive _pkt sr (pi) if the first input action 
of the game was send jpkt sr (pi) , and generally at its rath move perform receive jpkt sr {p n ) if the 
rath input action of the game was send _pkt sr (p n ) . Even though the environment may provide 
several (but only a finite number of) input actions at each move and, thus, might be "faster" 
than the channel, at any point in time the channel only has finitely many "unmatched" inputs 
which it will eventually have matched. The point is that the environment can never have sent 
infinitely many copies of the same packet without the channel having output infinitely many 
copies of the same packet, and all packets put into the channel will eventually be output. If / 
has matched all inputs, it should simply return the empty move _L since in this case the channel 
is empty. 

Note that, by Proposition 3.4, Qch, sr is stuttering-insensitive. 

8.3 The Sender/Receiver Process 

We specify the sender/receiver process as a live I/O automaton G s / r = (A Gs / r , L Gs / r ). 

8.3.1 States and Start States 

As mentioned in the introduction to this chapter, A Gs / r intuitively consists of a sender part 
and a receiver part such that some state variables are only manipulated by the sender part, 
some state variables are only manipulated by the receiver part, and some state variables are 
manipulated by both parts. Thus, the state variables of A Gs / r are consequently grouped into 
the following three classes. (When we write "sender" below, we refer to the sender part of the 
sender/receiver process. Similarly for "receiver".) 
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Variable 


Type 


Initially 


Description 


mode s 


{idle, 
needid, 
send, rec} 


idle 


The mode of the sender. Mode idle indi- 
cates that the sender is not in the process of 
sending a packet over the channel, needid 
indicates that the sender is ready to choose 
an identifier for the current message, and 
send indicates that the sender is sending 
(repeatedly) the current packet (consisting 
of current message with identifier) over the 
channel. Mode rec denotes that the sender 
is in recovery phase. 


buf s 


Msg* 


e 


The list of messages at the sender side. 


used s 


ID* 


e 


A list containing all identifiers assigned to 
messages in the past. These identifiers will 
never be used again. The list induces a par- 
tial order on identifiers (see below). 


current- ms g s 


Msg U {nil} 


nil 


When mode s £ {needid, send}, this vari- 
able contains the "current" message, i.e., 
the message about to be or being sent. In 
the other modes current- ms g s is not used 
and is set to nil. 


last s 


ID U {nil} 


Any value 


When mode s = send this variable contains 
the identifier chosen for the current mes- 
sage. In all other modes its value is not 
used. Due to requirements in low-level pro- 
tocols (where last s could, e.g., be a time- 
stamp), last s is allowed to assume arbitrary 
values when it is not used. 


current- ack s 


Bool 


false 


Acknowledgement from the receiver. 
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mode r 


{idle, rcvd, 
ack, rec} 


idle 


The mode of the receiver. Mode idle indi- 
cates that the receiver has delivered all re- 
ceived messages to the user, rcvd indicates 
that messages have been accepted but not 
yet delivered to the user, ack indicates that 
the receiver is sending positive acknowl- 
edgements for the last message accepted to 
the sender. Mode rec denotes that the re- 
ceiver is in recovery phase. 


buf r 


Msg* 


e 


The list of messages accepted by the re- 
ceiver but not yet delivered. 


last r 


ID U {nil} 


nil 


Contains the identifier of the last message 
accepted. When its value is not used, it is 
assigned the special value nil. 


issued r 


V{ID) 


Any superset 

of good r such 

that 

\ID \ issued r \ 

= 00 


Includes everything that was ever accept- 
able by the receiver, i.e., in good r . Thus, 
issued r is used to guarantee that "old" iden- 
tifiers do not show up in good r again, which 
could otherwise lead to duplicate delivery. 


nack-buf r 


ID* 


e 


A list of identifiers for which a negative ac- 
knowledgement will be issued. 



good s 


V{ID) 


Any set 


When mode s = needid this set contains all 
the identifiers that the sender might choose 
for the current message. In all other modes 
its value is not used. 


good r 


V{ID) 


Any set 


At any time this set contains the identifiers 
the receiver will accept from the channel. 


current-ok 


Bool 


false 


If current-ok = true the identifier chosen 
for the current message is considered good 
by the receiver, but the current message has 
not been accepted by the receiver yet. 



8.3.2 Partial Order of Identifiers 

In the G protocol we need an ordering of all the identifiers used as ids on messages sent by 
the sender. As we shall see below, an identifier id is chosen in a chooseJd(id) step, so if a 
chooseJd(id) step has occurred before a choose Jd(id') step, we will require that id is less than 
id' in this ordering. Since we collect — as we shall see — all the ids used by the sender in used s , 
we use the following partial order derived from the state of G: 

If used s contains distinct elements and id precedes id in used s , then id < u id 

In arbitrary states of G the same identifier might occur several times in used s ; however, below 
we shall prove an invariant (Invariant 8.2 Part 2 on Page 125), which states that the elements 
of used s are all distinct, which then implies that all identifiers ever used by the sender during 
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execution are related by < u . Since identifiers of ID can be tested for equivalence ( = ), the 
definition of < u trivially extends to < u . 

8.3.3 Actions 

Input: 

send_msg(m), m £ Msg 

receive _pkt sr (m, id), m £ Msg, id £ ID 

receive _pkt rs (id,b), id £ ID, b £ Bool 

crash s 

crash r 
Output: 

receive_msg(m), m £ Msg 

ack(b), b £ Bool 

send_pkt sr (m, id), m £ Msg, id £ ID 

send_pkt rs (id,b), id £ ID, b £ Bool 

recover s 

recover r 
Internal: 

prepare 

choose Jd(id), id £ ID 

shrink_good s (ids), ids C ID 

shrink_good r (ids), ids C ID 

grow_good s (ids), ids C ID 

grow_good r (ids), ids C ID 

cleanup r 

8.3.4 Steps 

Before we formally define steps(A Gs / r ) we provide some intuition. During normal operation the 
sender goes through the cycle idle-needid-send-idle of modes. When the sender is in mode 
idle and buf s is non-empty, a prepare step moves to mode needid and makes the message at 
the head of buf s the current message. Now "good" identifiers must be put into good s . Exactly 
how this is done will be discussed below. An identifier id for the current message is chosen from 
good s in a chooseJd(id) step. In such a step the sender enters send mode in which it repeatedly 
sends the current message m with associated current identifier id in send_pkt sr (m, id) steps. 
The sender will stay in this mode until it receives a positive (b = true) or negative (b = false) 
acknowledgement receive_pkt rs (id,b) for the current identifier. In this case the sender moves to 
mode idle again from where acknowledgements ack(b) can be issued to the user (but only of 
buf s is empty since otherwise the sender is not acknowledging the last message sent, as required). 
If the receiver receives a packet (to, id) in a receive _pkt sr (m, id) step, it checks to see whether 
id is in good r . If this is the case it accepts 2 the message to, adds it to the end of buf r and enters 
mode rcvd (if it was not there already). Mode rcvd indicates that the receiver has messages in 
buf r and is in the process of delivering these messages to the user. Once the last message in buf r 
has been delivered in a receive _msg(m) step, the receiver enters ack mode in which it will issue 
positive acknowledgements in send_pkt rs (id, true) steps for the identifier id of the last message 
accepted from the sender (and thus the last message delivered to the user). These positive 
acknowledgements will be issued repeatedly to overcome the unreliability of the channel. 



We say that a packet (or the associated message) is "successfully received" or "accepted" when the associated 
identifier is in good r at the time of receipt. 
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The above discussion has focused on the normal modes of operation of the sender and receiver, 
where no crashes have occurred. After the formal definition of steps(A Gs / r ), we explain what 
can happen when sender or receiver crashes occur. 

We now look at the manipulation of the good sets. When a prepare step is performed, the good s 
set is emptied. The sender is now in needid mode, waiting to perform a chooseJd(id) step. 
Since id must be taken from good s , this set must be "grown" with identifiers. Two types of 
steps can change good/, shrink _good s ( ids) removes identifiers from good s and grow _good s ( ids) 
adds identifiers to good s . When the receiver has not been in recovery phase "recently", i.e., 
after the prepare step was performed, the sender and receiver should be in agreement about 
which identifiers are considered good. This situation is indicated by the special flag current-ok 
being true. In this situation grow _good s ( ids) can only add elements from good r to good s , and 
the shrink _good r ( ids) steps, which can remove elements from good r , must not remove elements 
which are already in good s . In this way we preserve the key invariant that if current-ok = true, 
then good s C good r , and, thus, the current packet is guaranteed to be accepted by the receiver 
(unless new crashes occur). A detail is that identifiers put into good s might immediately be 
"shrunk" away by a shrink _good s ( ids) step that empties good s . (If we look forward at C, only 
the value of the local sender clock is considered a good identifier. Thus, whenever the clock 
ticks, this corresponds, in G, to the old clock value being removed from good s , and the new 
value being added to good s .) When we deal with liveness below, we show how to guarantee that 
the sender will not grow and shrink good s forever but will eventually choose an identifier in a 
chooseJd(id) step. 

If crashes occur, the low-level implementations H and C have no way of keeping good s a 
subset of good r . This must at the G level be reflected in the grow and shrink steps. We have 
designed these steps such that they preserve certain key invariants presented below. The steps 
actually allow more freedom than is needed by the implementations H and C, but in this way 
we have the possibility that other low-level implementations implement G. If, for instance, 
current-ok = false, it turns out to be necessary to allow shrink_good r to remove elements from 
good r which are already in good s . If, furthermore, mode r = rec, good s can be grown fairly 
arbitrarily. It is in this situation possible to add elements to good s which have never been issued 
by the receiver. This may give rise to a situation where the current identifier is not in good r 
when the current packet is sent, but is added to good r during transmission over the channel. 
(For this reason we shall, in the proofs below, introduce a derived variable good-ids containing 
identifiers from good r and identifiers not issued yet. Packets with identifiers in good-ids have a 
chance of being accepted by the receiver.) 

Other preconditions on the grow and shrink steps deal with guaranteeing that the sender 
and receiver do not reuse identifiers in their good sets. In particuler, the set issued r , which 
"survives" a crash (and thus has to be implemented in stable storage in the implementations), 
contains all identifiers that were ever in good r . No identifiers in issued r can ever be put in good r . 
In this way it is guaranteed that the receiver will never — not even in the case of crashes — accept 
the same packet twice. Similarly, the sender will never choose an identifier which is in used s . 

We now define steps(A Gs / r ). To increase readability we keep the definition of the steps of 
the sender in the left column and the definition of the steps of the receiver in the right column. 
Furthermore, we align the definition of the send-pkt steps with the definition of the corresponding 
receiver-pkt steps. 
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send_msg(m) 
Effect: 

if mode s ^ rec then 
buf s := buf s ~ m 

prepare 

Precondition: 

mode s = idle A buf s ^ e 
Effect: 

mode s : = needid 

good s : = 

current-msg s := head(buf s ) 

buf s := tail(buf s ) 

if mode r ^ rec then 
current-ok := true 

choose Jd(id) 
Precondition: 

mode s = needid A id £ good s 
Effect: 

mode s := send 

last s := id 

used s := used s ~ id 



send_pkt sr (m, id) 

Precondition: 

mode s = send A last s 
current-msg s = m 

Effect: 



id A 



receive _pkt sr (m, id) 
Effect: " 

if mode r ^ rec then 
if id £ good r then 
mode r := rcvd 
buf r := buf r ~ m 
lastr := id 

good r := good r \ {id \ id < u id] 
if id = last s A mode s = send then 
current-ok := false 
else if id ^ last r then 

if mode s = send A id = id s then 

nack-buf r := nack-buf r ~ id 
else 

optionally nack-buf r := nack-buf r ~ id 
else if mode r = idle then 
mode r := ack 



receive jmsg{m) 
Precondition: 

mode r = rcvd A buf r /e A head(buf r ) = m 
Effect: 

buf r := tail(buf r ) 
if fe«/ r = e then 
mode r := ack 
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receive _pkt rs (id, b) 
Effect: 

if mode s = send A last s = id then 
mode s : = idle 
current-ack s := b 
last s '■= arbitrary value 
current-msg s : = nil 

ack(b) 

Precondition: 

mode s = idle A buf s = e A 

current-ack s = b 
Effect: 

none 



send_pkt rs (id, true) 
Precondition: 

mode r = ack A last r = id 
Effect: 

optionally mode r : = idle 

send_pkt rs (id, false) 
Precondition: 

mode r ^ rec A nack-buf r /e A 

head(nack-buf r ) = id 
Effect: 

nack-buf r := tail(nack-buf r ) 



crashs 
Effect: 

mode s = rec 
current-ok := false 



crash r 
Effect: 

mode r = rec 
current-ok := false 



recovers 

Precondition: 

mode s = rec 
Effect: 

mode s := idle 

lasts := arbitrary value 

buf s := e 

current-msg s := nil 

current-acks '■= false 



recover r 

Precondition: 

mode r = rec 
Effect: 

mode r := idle 

last r := nil 

buf r := e 

nack-buf r := e 

issued r := any superset of 

issued r U used s U good s 
such that afterwards 
\ID \ issued r \ = oo 



grow _good s (ids) 
Precondition: 

mode s ^ needid V 
((mode r ^ rec =^- ids C issued r ) A 
(current-ok = true =^- ids C good r ) 
(ids n useds = 0)) 
Effect: 

good s := good s U ids 



grow _good r (ids) 

Precondition: 

ids Pi issuedr = A 

\ID \ (ids U issued r )\ = oo 

Effect: 

good r := good r U ids 
issuedr := issuedr U ids 



shrink _good s (ids) 
Precondition: 



none 
Effect: 
good s 



good s \ ids 



shrink _good r (ids) 
Precondition: 

current-ok = false V 

((mode s = needid =^- ids H good s = 0) A 
(mode s = send =^- last s (ji ids)) 
Effect: 

good r := good r \ ids 



cleanup r 

Precondition: 

mode r G {idle, ack} A 

(mode s = send =^- last s ^ last r 
Effect: 

mode r := idle 

lastr := nil 
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Note that most locally-controlled steps of the sender and receiver are conditioned by mode s and 
mode r , respectively, not being rec. Also, inputs (except crash s and crash r ) do not lead to state 
changes when the side at which they occur is crashed. Thus, G is "dead" when it is crashed. 
Furthermore, crashes and subsequent recoveries have the effect of resetting all state variables 
(except issued r and used s ) at the side at which they occur. For instance, even if the sender is 
about to issue a positive acknowledgement to the user when a sender crash occurs, the sender 
has forgotten about this when it recovers. These choices about the way G behaves with respect 
to crashes are motivated by the low-level protocols H and C. 

We now discuss certain special situations that can arise mainly due to crashes or recoveries. 
Assume that the sender is in send mode with (mi, idi) as the current packet. If a crash s occurs, 
the sender forgets, among other things, everything about (mi, idi). However, before it crashed, 
the sender might have succeeded in placing (m^irfi) in the channel. Since we do not assume 
any time bounds on channel delays, (mi, idi) might travel very slowly on the channel. In the 
meantime the sender recovers, receives a new message m 2 in a send_msg(m 2 ) step, assigns the 
identifier id 2 to m 2 , and starts sending (m 2 , id 2 ) to the channel. Now both (mi, idi) an d (m 2 , id 2 ) 
are traveling on the channel, and both idi an d id 2 might be in good r . (The receiver has no way of 
knowing that the sender has been crashed.) In general, if crashes have occurred, several packets 
(mi, idi), • • - 5 ( m ki idic) with identifiers in good r might be traveling on the channel. This gives 
rise to a race condition between the packets. Assume (mi, idi) is the first packet that reaches 
the receiver and gets accepted. Then the receiver is not allowed subsequently to accept any of 
the packets (mi, idi), ■ ■ -, ( m ii idi) since then either the receiver would accept the same message 
twice or it would reorder messages (since nil, . . . ,nii_i were sent before m^). The messages 
nil, . . . ,nii_i are thus effectively lost, but since they were in the system during crashes, this 
is allowed by the Delayed-Decision Specification D (and consequently by the specification S). 
This explains the manipulation of good r in the definition of the receive _pkt sr (m, id) steps. If the 
sender crashes in needid mode, the same kind of race condition does not arise since the current 
packet has not been placed in the channel yet. However, messages get lost but, again, this is 
allowed by D. 

If the receiver receives a packet (to, id) and id is not in good r it will not accept the packet. 
Now, two situations must be considered (which correspond to the two "else-if" cases in the 
definition of receive _pkt sr (m, id) above). 

1. If id 7^ last r , we are not just receiving another copy of the last packet accepted. 

• if mode s = send and id = last s , we are, due to crashes, in a situation where the 
sender is in send mode with a "bad" identifier. The receiver must inform the sender 
about this situation since otherwise the sender would be stuck forever. Thus, the 
receiver adds id to nack-buf r which will lead to a send _pkt rs (id , false) step. Note, 
that since only one send _pkt rs (id, false) will be performed, there is no guarantee that 
the packet will actually be put into the channel (which is unreliable). However, the 
sender continues to send (to, id), so packets will continue to get through (due to 
channel liveness) to the receiver. Every time this happens, the receiver will add id to 
nack-buf r , so (id, false) will continue to be issued. By channel liveness in the other 
direction the sender will eventually receive (id, false) and thereby be dislodged. 

• if mode s ^ send or id ^ last s , the received packet (to, id) is not the current packet 
of the sender but instead some old packet from the channel. The low-level protocols 
we consider cannot always identify this situation — mainly because the receiver in a 
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distributed implementation does not have access to mode s and last s . The C protocol 
can in some situations make some safe guesses, but generally a low-level protocol has 
to assume the worst case and thus add id to nack-buf r . The G protocol leaves this 
possibility open. 

2. If id = last r , we are receiving a new copy of the last packet accepted. In this situation 
mode r could be idle, in which case it should be changed to ack. The situation is explained 
as follows. 

Due to requirements in the low-level implementations, a send_pkt rs (id, true) step must 
have the possibility of changing mode r to idle, which disables further send_pkt rs (id, true) 
steps. Thus, due to the unreliability of the channels, we are not sure that (id, true) 
actually arrives to inform the sender that the current packet was successfully received. 
But the sender will then continue to send (to, id) packets, and the (inevitable) receipt of 
some of these by the receiver will lead to mode change to ack, which, in turn, leads to 
send_pkt rs (id, true) steps. As above, channel liveness ensures that a receive _pkt rs ( id, true) 
step will eventually occur as required. 

Some of this discussion has dealt with liveness. We now turn to the formal definition of the 
liveness condition for G s / r . 

8.3.5 Liveness 

Let 

Cg.s/ti = {prepare, ack(true), ack( false), recover J\ U 

{send_pkt sr (m, id) \ m £ Msg A id £ ID} 
Cc,s/r2 = {chooseJd(id) \ id £ ID} 
C G , s /r3 = {recover,.} U 

{receive _msg(m) \ m £ Msg} U 

{send_pkt rs (id, true) \ id £ ID} 
CG iS /r4 = {send _pkt rs ( id, false) \ id £ ID} 

The liveness condition L Gs / r for A Gs / r is now induced by the following temporal formula. 

Q G ,s/r = WF(C GtS/rl ) A 

n(n(mode s = needid A mode r ^ rec) =^ ^(Cg.s/^)) A 

WF(C GtS/r3 ) A 

WF(C Gi , /r4 ) 

The first, third, and fourth conjunct express normal weak fairness to some locally-controlled 
actions of the sender and receiver, respectively. 

The second conjunct looks more complicated but simply states that it is always the case 
that if the sender stays in mode needid and the receiver does not crash, then eventually a 
chooseJd(id) step occurs. Thus, infinite growing and shrinking of the good sets are avoided. 
Note, that this kind of liveness condition is more high-level than, e.g., weak fairness, but it 
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exactly captures the intuitive requirement to the execution of the system, and the general model 
of live I/O automata allows such general liveness requirements. 

As for the liveness formula for the channel Ch sr above, we do not formally prove that QG,s/r is 
an environment-free liveness formula for A GtS /r but instead provide some intuition as to how an 
environment-free strategy (g, f) could be defined: on inputs, the g function can choose arbitrarily 
between nondeterministic choices. The / function should deal with the four conjuncts of QG,s/r 
in a round-robin fashion: if it dealt with the first conjunct last time, it should deal with the 
second conjunct now, and so on. If it is time to deal with one of the weak-fairness formulas, 
/ simply performs some step from the appropriate set if possible. The second conjunct needs 
more attention. Here / should do the following if mode s = needid and mode r ^ rec, and do 
nothing otherwise: 

1. If good s ^ 0, then perform a chooseJd(id) step. 

2. Else, if good r ^ 0, perform a grow _good s ( ids) step (with ids nonempty). Such a step is 
always possible when good r ^ 0. 

3. Else, perform a grow _good r ( ids) step with ids nonempty. Such a step is always possible 
since it is true that there are always infinitely many unused identifiers left. 

If Part 3 was performed, then Part 2 will be performed next time the second conjunct of QG,s/r 
is dealt with. If Part 2 was performed, then Part 1 will be chosen next time. This is under 
the assumption that the sender stays in mode needid and the receiver does not crash in the 
meantime, but if this is not satisfied, then the second conjunct does not restrict the execution 
at all. 

Another thing to note is that, by Lemma 4.8 and Proposition 3.4, QG,s/r is stuttering-insensitive. 

8.4 The Specification of G 

As depicted in Figure 8.1, G consists of the sender/receiver process and the two channels. So, 
first define G' = (A' G ,L G ) to be the following live I/O automaton 

where the set P of possible packets of the channels is instantiated with the packets that G s / r 
can send and receive, i.e., packets of the form (m,id) and (id,b). Thus, G' is the parallel 
composition of the sender/receiver process and the channels. Since Qc.s/r, Qch, sn an d Qch, rs 
are all stuttering-insensitive, Proposition 4.4 implies that L' G is induced by 

Qg = Qo,s/r A Qch, sr A Qch, rs 

By Definition 2.2 the channel actions send_pkt sr (m,id), receive_pkt sr (m,id), send_pkt rs (id,b), 
and receive _pkt rs ( id, b) are output actions of G'. Thus, to get G = (Aq,Lq) we hide these 
actions. Let 

Ag = {send_pkt sr (m, id) \ m £ Msg A id £ ID} U 

{receive _pkt sr (m, id) \ m £ Msg A id £ ID} U 
{send_pkt rs (id,b) \ id £ ID A b £ Bool} U 
{receive _pkt rs ( id ,b) \ id £ ID A b £ Bool} 
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Then, define 

G = G'\A G 
By Proposition 4.5, L G is induced by Q G . 
We can now turn attention to proving that G correctly implements D. 

8.5 Correctness of G 

In this section we consider the proof that G = (A G ,L G ) correctly implements D = (A D ,i D ). 
This will be done in terms of a refinement mapping from A G to A D and a subsequent liveness 
proof. We perform the refinement proof in all detail, but only sketch the liveness proof. We 
refer to the formal liveness proof at the H level for a similar — but formal — liveness proof. 
First, we state some invariants of A G . 

8.5.1 Invariants 

As mentioned in Chapter 7, during the process of performing a simulation proof, it usually 
becomes clear that certain invariants are needed: some situation in the proof is impossible to 
solve but it turns out that the state in which the situation occurs is not reachable. Thus, an 
invariant that avoids these "bad" states is found. In this section we present the invariants 
we need in the refinement mapping proof from A G to A D . The proofs of the invariants are 
deferred to Appendix C, where we furthermore consider the general way to prove invariants of 
safe (timed) I/O automata. 

In the invariants we use a derived variable good-ids defined as follows: in any state s of A G , 
define 



s. good-ids = s.good r U s. issued,. 



where s. issued,, is the complement of s. issued,, with respect to ID. A message assigned an id in 
s. good-ids might still be received successfully, i.e, accepted by the receiver. 

The first invariant has two parts which state simple properties of the state when the sender is 
in send mode. (Recall from Appendix A that last s £ used s is shorthand notation for last s £ 
elems(used s ). Similar notation will be used below.) 

Invariant 8.1 

1. If mode s = send then last s £ used s 

2. If mode s = send then last s ^ nil 



When the sender is in needid mode, it can never choose among identifiers that have been used 
before (since such identifiers cannot be put into good s again). As a consequence used s contains 
distinct elements. 

Invariant 8.2 

1. If mode s = needid then used s n good s = 
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2. All elements of used, are distinct 



As expected a receiver mode of rcvd indicates that there are some messages in the receiver 
buffer which have not yet been delivered to the user. 

Invariant 8.3 

f . If mode r = rcvd then buf r ^ e 



The following invariant is a key invariant. It states relationships between and properties of the 
different sets of identifiers in A G . 

In this invariant and other invariants below, we use the following definition: define in any 
state s of A G ids(sr) to be the set of id components of the packets in the sr channel. Formally, 
we have 

ids(sr) = {id \ m £ Msg A (to, id) £ sr} 

Similarly, 

ids(rs) = {id \ b £ Bool A (id,b) £ rs} 

Invariant 8.4 

1. issued r D good s if mode s = needid A mode r ^ rec 

2. issued r D good r 

3. issued r D used s if mode r ^ rec 

4. used s D ids(sr) U (if mode s = send then {last s } else 0) 

5. used s 5 nack-buf r 

6. used s 5 ids(rs) 

7. last r £ good-ids 

8. If last r ^ nil then last r £ used s 



The following invariant states the fact that for any two packets in sr (possibly including the 
current packet), if the packets have the same identifier, then the packets are equal (and thus 
represent two copies of the same packet). 

Invariant 8.5 

1. Let pkts = sr U (if mode s = send then {(cur rent- msg s , last s )} else 0), and 
let (to, id) £ pkts and (to', id ) £ pkts. Then 
If id = id' then m = m' 
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The next invariant states properties of reachable states where current-ok = true. Recall that 
current-ok intuitively is a flag which is true whenever the sender is in the process of sending the 
next message (packet), the receiver has not been in recovery phase since the last prepare action, 
and the current packet has not been received yet. Thus, current-ok = true indicates that the 
sender and receiver are synchronized and in agreement about which identifiers to use. 

Invariant 8.6 

f. If current-ok = true then mode s £ {needid, send} 

2. If current-ok = true then mode r ^ rec 

3. If current-ok = true A mode s = send then last s ^ last r 

4. If current-ok = true A mode s = send then (last s ,b) ^ rs 

5. If current-ok = true A mode s = needid then good s C good r 

6. If current-ok = true A mode s = send then last s £ good r 

7. If current-ok = true A mode s = send then last s ^ nack-buf r 



In certain situations current-ok is guaranteed to be false. For instance, if the sender is in send 
mode and the current packet has been accepted by the receiver (indicated by either last s = last r 
or the fact that an acknowledgement for last s is in rs). 

Invariant 8.7 

1. If mode s = send A last s = last r then current-ok = false 

2. If mode s = send A (last s ,b) £ rs then current-ok = false 



We now state properties of the identifiers in sr. Part 1 states that each identifier in sr has 
been chosen before (or is equal to) the current identifier when mode s = send. This is expressed 
using the ordering < u induced by used s . Parts 2-4 state that if either (2) the current packet 
has been accepted by the receiver, (3) the receiver has sent positive acknowledgement for the 
current packet to rs, or (4) the sender has received the positive acknowledgement, then none of 
the identifiers in sr (possibly including the current identifier last s ) can never become "good", 
i.e., can never reappear in good r . (These invariants among other things guarantee that A G can 
never reorder messages or accept the same packet twice.) 

Invariant 8.8 

1. If mode s = send A id £ ids(sr) then last s > u id 

2. If mode s = send A last s = last r then ({last s } U ids(sr)) n good-ids = 

3. If mode s = send A (last s , true) £ rs then ({last s } U ids(sr)) n good-ids = 
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4. If mode s = idle A current- ack s = true then ids(sr) n good-ids 



In certain situations buf r is guaranteed to be empty. Part 1 of the following invariant states 
that if mode r = idle then buf r is empty. This situation occurs if the receiver has just sent 
acknowledgement after having delivered the last message to the user, or if the receiver has just 
recovered. Parts 2-4 deal with the situation where the current message is being acknowledged 
over rs. Either (2) the receiver is sending positive acknowledgements for the last message 
received (and passed on to the user), (3) the receiver has succeeded in placing the positive 
acknowledgement in rs, or (4) the sender has already received the positive acknowledgement. 

Invariant 8.9 

1. If mode r = idle then buf r = e 

2. If mode r = ack then buf r = e 

3. If mode s = send A (last s , true) £ rs then buf r = e 

4. If mode s = idle A current- ack s = true then buf r = e. 



The following invariant states that identifiers for which the receiver will or has sent negative 
acknowledgements can never (again) be considered "good" by the receiver. 

Invariant 8.10 

1. nack-buf r n good-ids = 

2. ids(rs) n good-ids = 



Furthermore, the receiver can never issue negative acknowledgements for the current identifier 
if it has accepted the current packet (unless new crashes have occurred). 

Invariant 8.11 

1. If mode s = send A last s £ nack-buf r then last s ^ last r . 

2. If mode s = send A (last s , false) £ rs then last s ^ last r . 



Our final invariant states that there are always "enough" (read: infinitely many) identifiers 
left that have not been issued. This is an important invariant since it ensures that a message 
to be sent can always be associated with an identifier. The invariant will not be used in the 
safety proof since not being able to choose an identifier does not violate any safety requirement. 
Instead the invariant is essential for the system to guarantee any liveness requirements. 
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Invariant 8.12 

1. \ID \ issued r \ = oo 
■ 

The conjunction of all invariants above (which is itself an invariant) will be referred to by I G . 

8.5.2 Safety 

In this section we show the existence of a refinement mapping from A G to A-q. However, first 
we need some preliminary definitions. 

Let s be any state of A G which satisfies I G . Define the possible pairs in s in the following 
way 

s.pos-pairs = {(m, id) £ s.sr \ id £ s. good-ids A (s.mode s = send =>■ id ^ s.last s )} 

The pairs in s.pos-pairs represent the "old" packets in sr that still have a chance of being 
successfully received by the receiver. Note, that we do not count (s.current-msg s ,s.last s ) as a 
possible pair when s.mode s = send. Thus, the set of possible pairs in a state consists of packets 
for which the sender never stayed around to receive acknowledgement because of sender crashes. 
If no crashes have ever occurred the set is empty. 

We want to order the possible pairs of a state into a list reflecting the order in which the 
pairs were sent. For this reason we — for any state s of A G which satisfies I G — define a total order 
on the packets in s.sr based on the partial order on ids imposed by s.used s (see Section 8.3.2): 

(to', id') < u (m" , id") if id' < u id" 

Invariant 8.4 Part 4 and Invariant 8.5 Part 1 imply that the order is indeed total on all packets 
in s.sr for reachable states s of A G . 

Now, for any state s of A G which satisfies I G , define the possible list, written s.pos-list, 
to be the list obtained by ordering the elements of s.pos-pairs according to the ordering just 
introduced. (The closer to the head of the list the smaller the value according to the ordering). 
Thus, s.pos-list is the list of those packets (excluding the current packet) that still might be 
successfully received, and is ordered according to the order in which the packets were sent, with 
older packets occurring towards the head of the list. For all states s of A G not satisfying I G , 
define s.pos-list to be e. 

Define the function messages to extract the list of messages from a list of packets of sr. 
Thus, if / = ((mi, idi), . . . , (m n , id n )) then messages(l) = (mi, . . . , m n ). 

When the mode of the sender is either needid or send, the value of current- ms g s is the message 
to be sent to the receiver. (This message has already been removed from buf s ). Now, the destiny 
of this message might be unknown if there has been a crash, because then the id that has been 
(or is to be) assigned to the message might not be in good-ids or it might be removed from 
good-ids before the message is received. The variable current-ok in A G is precisely what we need 
to state this uncertainty. So, the flag (OK or marked) to be associated with the current message 
in the refinement mapping below is then derived from current-ok in state s in the following way: 

s. current- flag = (if s. current-ok then OK else marked) 
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We now define the current queue, i.e., the part of the queue at the D ievei that corresponds to 
the current message at the G ievei, as follows 

s. current- queue = if s.mode s = needid V (s.mode s = send A s.last s £ s. good-ids) 

then ((s.current-msg s , s. current- flag)) 
else e 

When the mode of the sender is send and last s £ good-ids we denote by current pair the set 
containing the pair (current-msg s , last s ). In all other states this set is empty. Thus 



s. current-pair 



if s.mode s = send A s.last s £ s. good-ids 
then {(s. current-msg s ,s. last s )} 
else 



We define a function Rqd from states(A G ) to states(Av). This function will in Lemma 8.14 be 
proved to be a refinement mapping from A G to A D with respect to I G and i" D . In the definition, 
when we write e.g. u buf r paired with OK", we mean the element of (Msg X Flag)* obtained from 
buf r by pairing every message with OK. 

Definition 8.13 (Refinement Mapping From A G to A D ) 

If s £ states(A G ) then define i? GD (s) to be the state u £ states(Av) such that 

1. u.rec s = (s.mode s = zee) 
u.rec r = (s.mode r = rec) 

2. u. queue is the concatenation of 

• s.buf r paired with OK 

• messages(s.pos-list) paired with marked 

• s. current- queue 

• s.buf s paired with OK 



u. status = 






(false, OK) 


if 


s.mode 


else (?,0K) 


if 


s.buf s 


else (1,s. current-flag) 


if 


s.mode 


(?, s. current-flag) 


if 


s.mode 


(?,0K) 


if 


s.mode 


(£rwe,0K) 


if 


s.mode 


(true, marked) 


if 


s.mode 



(false, OK) 



if s.mode. 



( s. current- ack s , OK) if s.mode s 



rec A 

B 

needid C(i) 

send A s.last s £ s. good-ids C(ii) 

send A s.last s = s.last r A s.buf r ^ e C(iii) 

send A s.last s = s.last r A s.buf r = e C(iv) 
send A s.last s ^ s.last r A 

(s.lastg, true) £ s.rs C(v) 

send A s.last s £ s. good-ids A 

s.lastg 7^ s.last r A 

(s.lasts, true) ^ s.rs C(vi) 

idle C(vii) 
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It is easy to see that the cases in Part 3 of the definition are exhaustive. However, the cases 
C(ii)-C(vi) are overlapping in some non-reachable states (where s.last s G s. good-ids A (s.last s = 
s.last r V (s.last s , true) & s.rs), cf. Invariants 8.4 Part 7 and 8.10 Part 2). Since we shall only 
be interested in the image of states satisfying the invariants, this is not a problem in practice. 
However, to make Rqd a mapping from all states of A G to states of A D , we adopt the convention 
that in cases C(ii)-C(vi) the first case (from top to bottom) that is satisfied by a given state is 
chosen. 

The intuition behind Rqd is as follows: When either the sender or receiver in A G is in mode 
rec this, of course, corresponds to A D having either rec s or rec r set to true, respectively. This 
is captured in Part 1. 

Part 2 associates flags with the messages between the sender and the receiver. The messages in 
buf s and buf r all get paired with the flag OK. That is because these messages are "safe" as long 
as no new crashes occur. If a crash occurs at, e.g., the sender side, then of course the elements 
in buf s will be deleted, but this corresponds in A D to marking these elements and dropping 
them. So, the flag associated with a message (or the status below) should indicate the situation 
for that message (or status) here and now. 

The messages in pos-list are all paired with marked. As explained above, when pos-Ust 
was defined, all elements of pos-Ust are "old" packets that still might be successfully received. 
However, elements of pos-Ust lose this possibility (i.e., are removed from pos-Ust) if a packet with 
higher id is successfully received by the receiver (since otherwise A G could rearrange messages). 
Thus, messages in pos-Ust might be lost without any crashes occurring. For this reason these 
messages are paired with marked in Rqd- 

In current-queue the flag is current-flag . If the receiver has not been in rec mode (which 
in this situation implies current-ok = true) since the last prepare action, we know that the id 
assigned (or to be assigned) to the current message is in good r (cf. Invariant 8.6 Parts 5 and 
6). Unless crashes occur this will be the case until the current message is successfully received. 
(Note, that the successful receipt of a message from pos-Ust cannot cause the id of the current 
message to be removed from good r since all messages in pos-Ust have ids less that this id). So, in 
this situation current-flag = OK. On the other hand, if a crash has occurred the current message 
might still be successfully received but it could be lost. In this case current-flag = marked as 
required. 

Part 3 deals with the status. First, recall that in A D status records the status of the last message 
sent to the system. 

Case A deals with the situation where the sender has crashed. In this situation the last 
message sent can only cause a negative acknowledgement to the user. Therefore status = 
(false, OK). 

In Case B, mode s ^ rec and buf s ^ e. Thus, the last element sent is, for now, sitting safely 
in buf s . For this reason we have status = (?, OK). 

C(i) and C(ii) describe to the situation where the last element sent is in current- queue. Here 
status = (?, current-flag), where current-flag = marked is there has been a crash so that it is 
permitted to "lose" status (i.e., change it to (false, OK)). 

In C(iii) the last message sent has been received by the receiver and is sitting safely in buf r . 

In C(iv) this message has been passed on to the user and the receiver is in the process of 
sending positive acknowledgements to the sender. This is a sure positive status, thus, status = 
(true, OK). 
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Case C(v) then describes the situation where a positive acknowledgement has been sent by 
the receiver, but where the receiver subsequently has crashed. In this situation the positive 
acknowledgement might eventually be successfully received by the sender, but, since the sender 
keeps on sending its current packet until it receives an acknowledgement, the receiver might issue 
negative acknowledgements for the current message and these negative acknowledgements could 
pass the positive acknowledgements in rs such that the sender receives a negative acknowledge- 
ment for the current message. The latter situation corresponds in A D to status being lost. This 
explains why status = (true, marked) in case C(v). Note, that in the situation just explained, 
the current message has been successfully delivered to the user, but a subsequent crash could 
cause status to be lost anyway (recall that this is allowed by the specification). 

Case C(vi) actually describes two situations: (a) the id assigned to the current message is 
such that the current message can never be successfully received by the receiver. Thus, the 
receiver can only issue negative acknowledgements for this message. The other situation is: (b) 
the current message has been successfully received, but the receiver crashed before successfully 
placing a positive acknowledgement on the channel rs. Again, only negative acknowledgements 
can be received by the sender. This explains status = (false, OK). 

Finally, case C(vii) reflects the acknowledgement received by the sender for the (last) current 
message. 

After having used our knowledge and intuition about A G and A D to define R G r>, we still need 
to verify that Rqd is in fact a refinement mapping from A G to A D (with respect to I G and i" D ). 
The following lemma states that this is the case. 

Lemma 8.14 

^g <r A D via R GD . 

Proof 

We prove that Rqd is a refinement mapping from A G to A D with respect to I G and i" D . We check 
the two conditions (which we call base case and inductive case, respectively) of Definition 5.2. 

Base Case 

It is easy to see that for any start state s of A G , i? GD (s) is a start state of A-q. 

Inductive Case 

Assume (s, a, s') G steps(A G ) such that s and s' satisfy I G and i? GD (s) satisfies i" D (Invariant 7.1). 
Below we consider cases based on a (and sometimes subcases of each case) and for each (sub)case 
we define a finite execution fragment a of A D of the form (i? GD (s), a', u", a", u'", . . . , R G v(s')) 
with trace(a) = trace(a). For brevity we let u denote i? GD (s) and u! denote i? GD (s'). 

Unless otherwise stated we let Part 1-3 refer to the three parts of Definition 8.13. 
a = send_msg(m) 



We consider cases based on s.mode s . 

1. s.mode s ^ rec 

Then, it is easy to see that (u, send _msg(m) , u') is a step of A D and thus a finite execution 
fragment with the right trace. 
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2. s.mode s = rec 

Then s' = s, so also vl = v. 

We show that (v,send_msg(m),v",mark(I),v"', drop(I),v'), where vl' , vl" , and / are de- 
fined below, is a finite execution fragment of A D by showing that (v, send_msg(m),v"), 
(v" ,mark(I),v"'), and (v'",drop(I),v') are steps of A-q. Clearly the execution fragment 
has the right trace. 
Define u".rec s = u.rec s 
u".rec r = v.rec r 
u". queue = u. queue " (to, OK) 
v". status = (?,0K) 
Then obviously (v, send_msg(m),v") £ steps(Av). 
Define u 1 " .rec s = u.rec s (= true) 
u'".rec r = v.rec r 
vl" . queue = v.qveve " (to, marked) 
vl" '.status = u" .status 
Thus the only difference between u" and vl" is that the element at the end of qveve is 
marked in vl" . Define / = {maxidx(v" .qveve)} . Then, since v'".rec s = true, obviously 
(v",mark(I),v" r ) G steps(A D ). 

Finally, we have to show that (vl" , drop(T), v') £ steps(Av). First note that drop is enabled 
in vl" since / contains the index of the last element of vl" .qveve and this element is marked 
by explicit construction. It now suffices that the four state variables of A D are handled 
correctly. 
rec s and rec r : 
We have (by construction and the fact that vl = v) v 1 " .rec s = v! .rec s and v!" .rec r = 
vl .rec r as required by the definition of drop(T) in A-q. 
qveve: 
We have (again by construction and the fact that vl = v) vl" . qveve = vl . qveve 
(to, marked). Thus, since drop(T) requires the last element of qveve to be deleted, qveve 
is handled correctly. 
statvs: 
Since the element at the end of qveve is deleted, the definition of drop(T) requires that 
v 1 .statvs = (false, OK), but this is the case since v. statvs = (false, OK) (from the definition 
of -Rqd) an( i u ' = u - 

a = receive _msg(m) 

We show that (v, receive _msg(m),vl) £ steps(Av). The step clearly has the right trace. 

From the precondition of the receive _msg(m) steps in A G we have that s.mode r = rcvd, 
s.bvf r j^ e, and head(s.bvf r ) = m. The definition of Rqd then implies that v.qveve ^ e 
and head(v. qveve) = (to, OK). Thus, from the definition of the receive _msg(m) steps in A D we 
see that receive _msg(m) is enabled in v. It now suffices to show that the four state variables of 
A^ are handled correctly. 

rec s , rec r , and qveve: 

It is easy to see that vl ' .rec s = v.rec s , vl .rec r = v.rec r , and vl .qveve = tail(v. qveve), as 

required by the definition of receive _msg(m) in A-q. 
statvs: 
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We consider cases based on which condition (A, B, C(i)-C(vii)) s satisfies in Part 3. 

Suppose s satisfies the condition in case A, C(v), C(vi), or C(vii). Then s' satisfies the same 

condition, so u. status = u'. status. Since in all cases u. status. stat ^ ?, leaving status unchanged 

is permitted by the definition of receive _msg(m) in A-q. 

Suppose s satisfies the condition in case B, C(i), or C(ii). Then s' satisfies the same condition, 

so u. status = u! ' .status. In all three cases it is easy to see that u! .queue ^ e so it is allowed by 

the definition of receive _msg(m) in A D to leave status unchanged. 

Suppose s satisfies the condition in case C(iii). If s'.buf r j^ e then s' also satisfies this condition 

but in this case u' .queue ^ e so it is permitted by the definition of receive _msg(m) in D to leave 

status unchanged. So, assume s'.buf r = e. Then s' satisfies the condition in case C(iv). Thus, 

u. status = (?, OK) and u' .status = (true, OK). Also, s' .buf s = e and Invariant 8.8 Part 2 implies 

that both s' .pos-list = e and s' .current- queue = e. Then, since s'.buf r = e, u. queue = e. Thus, 

changing status from (?,0K) to (£rwe,0K) is as required by receive _msg(m) in A-q. 

Finally, the precondition of receive _msg(m) in A G implies that s cannot satisfy the condition 

in case C(iv). 

a = ack(b) 



We show that (u, ack(b),u') £ steps(Av). The step clearly has the right trace. 

By definition of ack(b) in A G we have s' = s so also u' = u. 

From the precondition of ack(b) in A G we have s.mode s = idle, s.buf s = e, and s. current- ack s = 
b. Then u. status = (s.current-ack s , OK) = (6, OK) (by case C(vii) of Part 3). Thus, ack(b) is 
enabled in u. 

Since u. status. stat = OK, it is now easily seen that (u, ack(b),u') is a step of D. 
a = crash. 



We show that (u, crash s , u", mark(I), u'", drop(I'), u'), where u", u'", I, and I' are defined below, 
is a finite execution fragment of A D by showing that (u, crash s ,u"), (u",mark(I),u'"), and 
(u'", drop(I'),u') are steps of A-q. Clearly the execution fragment has the right trace. 

Define u" .rec s = true 

u" .rec r = u.rec r 

u" .queue = u. queue 

u" .status = u. status 
Then clearly (u, crash s ,u") G steps(Av). 

First let i cq = \s.buf r \ + \s.pos-list\. Then, define 
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'.queue, I, I') 



(?,{*cj,0) 



(?,{*cj,{icj) 



u .rec s = u .rec s 

u'".rec r = u" .rec r 

[u" .queue, 0, 0) if s. mode s £ {idle,rec} V 
(s.mode s = send A 
s. last s ^ s. good-ids) 
if s.mode s = send A 
s. last s & s. good-ids A 
(s.current-msg s ,s. lasts) & s - sr 
where q = mark (u" .queue, {i cq }) 
otherwise 

where q = mark (u" .queue, {i cq }) 
u'" .status = (u" .status, stat, marked) 

Since u" .rec s = true, clearly mark(I) is enabled in u" . To prove that (u" ,mark(I),u'") £ 
steps(Av) it now suffices to show that all four state variables of A D are handled correctly. 

rec s and rec r : 

Leaving rec s and rec r unchanged is as required by the definition of mark(I) in A-q. 
queue: 

By explicit construction of u'" .queue and /, it is easy to see that queue is handled correctly. 

A D . 
status: 

Marking status is allowed by the definition of mark(I) in A-q. 
Thus, (u" ,mark,u'") £ steps(Av). 

Finally, we must show that (u'", drop(I'),u') £ steps(Av). Slearly drop(I') is enabled in u'" , so 
it suffices to show that the four state variables of A D are handled correctly. 

rec s and rec r : 
We have u! .rec s = true = u'" .rec s and u! .rec r = u.rec r = u'".rec r . Leaving rec s and rec r 
unchanged is as required by the definition of drop(I') in A D . 

status: 
We have u' .status = (false, OK) since s'.mode s = rec, and this is allowed by the definition of 
drop (I') in A D . 

queue: 
First, assume s.mode s £ {idle, rec} or s.mode s = send A s.last s ^ s. good-ids. Then it is 
easy to see that u' .queue = u'" .queue = u. queue. Leaving queue unchanged is as required by 
the definition of drop(I') in A D since in this case I' = 0. 

Next, assume (s.mode s = send A s.last s £ s. good-ids A (s.current-msg s ,s.lasts) ^ s.sr) or 
s.mode a = needid. Then we have s. cur rent- queue = ((s.current-msg s ,s. current- flag)) and 
s' .current- queue = e. But the other three (buf r , buf s , and pos-list) parts that make up the 
abstraction of a queue in A D are unchanged. (Note, in the definition of u'" . queue is this case 
that the element in u" .queue that corresponds to s. current- queue has index i cq ). Then, it is 
easy to see that u' . queue = delete(u'" .queue , {i cq }) . Thus, by explicit construction of I' and 
the definition of drop(I') it is seen that queue is handled as required. 

Finally, assume (s.mode s = send A s.last s £ s. good-ids A (s.current-msg s ,s.lasts) £ s.sr). 
Again, we have s. current- queue = ((s.current-msg s ,s. current- flag)) and s' .current- queue = e. 
But in this case we have s' .pos-pairs = s' .pos-pairs U (s.current-msg s ,s.lasts). Then Invari- 
ant 8.8 Part 1 implies that s' .pos-list = s. pos-list " (s.current-msg s ,s.lasts). We now have 
that the only difference between u! ' .queue and u. queue is that one of the elements (the one 
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corresponding to (s.current-msg s ,s.last s )) in u' .queue is marked (which it might not be in 
u. queue). But this gives us u' . queue = u'" '.queue, and since I' = in this case, it is seen that 
queue is handled as required by the definition of drop(I') in A-q. 
Thus, (u'", drop,u') G steps(Av) as required. 

a = crash r 



We show that (u, crash r , u" , mark(T), u 1 ), where u" and I are defined below, is a finite execution 
fragment of A D by showing that (u, crash r ,u") and (u",mark(I),u r ) are steps of A-q. Clearly 
the execution fragment has the right trace. 

Define u" .rec r = true 

u" .rec s = u.rec s 

u" .queue = u. queue 

u" .status = u. status 
Clearly (u,crash r ,u") G steps(Av). 

Define, 

J {\s.buf r \ + \s.pos-list\} if s.mode s = needid V (s.mode s = send A s.last s G s. good-ids) 
1 otherwise 

We now show that (u",mark(I),u r ) G steps(Av). First note that since u".rec r = true, the 
definitions of I and Rqd imply that mark (I) is enabled in u" . It thus suffices to show that the 
four state variables of A D are handled correctly. 

rec s and rec r : 
We have u! .rec r = true = u".rec r and u! .rec s = u.rec s = u".rec s . Leaving rec s and rec r 
unchanged is as required by the definition of mark(T) in A-q. 

queue and status: 
First assume s.mode s = needid or s.mode s = send A s.last s G s. good-ids. In this case the 
only difference in states s and s' of the four components that make up the abstraction of a 
queue in Part 2 is that the element in current-queue is marked in s' whereas it might be OK 
in s. So, the only difference between u" .queue(= u. queue) and u' .queue is that the element 
with index \s.buf r \ + \s.pos-list\ has changed its flag to marked, but by definition of / in this 
case, this is as required by the definition of mark (I) in A-q. For status, if s.buf s ^ e then 
u. status = vl .status = (?,0K) by Part 3B. But leaving status unchanged is allowed by the 
definition of mark (I) in A-q. If s.buf s = e then s satisfies either Part 3C(i) or 3C(ii) and s' 
satisfies the same part. In this case status might change its flag from OK to marked but again 
this is allowed by the definition of mark(T) in A-q. 

Finally, in all other cases u. queue = u! .queue and u. status = u! .status so mark(T) should be a 
no-op, but again this is allowed by the definition of mark (I) in A D since in this case 7 = 0. 

a = recover. 



We show that (u, mark(T), u", drop(T), u'", recover s , u'), where u", u'", and I are defined below, 
is a finite execution fragment of A D by showing that (u,mark(T),u"), (u" ,drop(T),u'"), and 
(u'", recover s , u r ) are steps of D. Clearly the execution fragment has the right trace. 

Define I = {i \ maxidx(u. queue) — (\s.buf s \ — 1) < i < maxidx(u. queue)}. 

Thus, I contains the indices of the last \s.buf s \ elements in u. queue. 
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Define u".rec s = u.rec s 

u".rec r = u.rec r 

u" . queue = mark (u. queue, I) 

u" . status = u. status 
Since s.mode s = rec we have u.rec r = true so the definition of/ impiies that mark(T) is enabied 
in u. Then it is easy to see that (u, mark(T),u") £ steps(Av). 

Define u'" ' .rec s = u".rec s 

u'".rec r = u".rec r 

u'" . queue = delete(u" '.queue, I) 

u'" '.status = (false, OK) 
The definitions of / and u" . queue implies that drop(T) is enabled in u" . Now, to show that 
(u" , drop(T), u 1 ") £ steps(Av), it suffices to show that the four state variables of A D are handled 
correctly. 

rec s and rec r : 

Leaving rec s and rec r unchanged is as required by the definition of drop(T) in A-q. 
queue: 

By explicit construction of u'" '.queue, clearly queue is handled correctly. 
status: 

Since drop(T) is always allowed to change status to (false, OK), status is handled correctly. 
Thus, (u" ' ,drop(T),u'") £ steps(Av). 

Finally, we prove that (u'", recover s ,u') £ steps(Av). Since u'".rec s = u".rec s = u.rec s = true, 
we have that recover s is enabled in u'" . We show that the four state variables of A D are handled 
correctly. 

rec s and rec r : 
Leaving rec r unchanged and changing rec s from true to false is as required by the definition 
of recover s in En- 
queue: 
Note that s. current- queue = s' .current- queue = e, s.pos-list = s'.pos-list, and s.buf r = 
s'.buf r . So, since buf s is emptied in the recover s step of A G , the only difference between 
u. queue and u' .queue is that the last \s.buf s \ elements of u. queue are missing in u' .queue. 
Thus, u! .queue = u!" . queue as required by the definition of recover s in A D . 
status: 
Since s' .mode s = idle, s' .buf s = e, and s' .current- ack s = false, we have u! .status = (false, OK) 
by Part 3(vii). Thus, u! .status = u!" .status as required by the definition of recover s in A D . 
Thus, (u'", recover s ,u') £ steps(Av). 

a = recovery 



We show that (u, mark(T), u", drop(I), u'", recover,., u'), where u", u'", and / are defined below, 
is a finite execution fragment of A D by showing that (u,mark(T),u"), (u" , drop(I),u" r ), and 
(u'", recover r ,u') are steps of A D . Clearly the execution fragment has the right trace. 

First, define u".rec s = u.rec s 

u" .rec r = u.rec r 

u'".rec s = u".rec s 

u"' ' .rec r = u" .rec r 
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Below we define / so that it contains indices of u. queue and indices of marked elements in 
u". queue. Then, since s.mode r = rec we have u.rec r = true, so mark(T) is enabled in u, drop(T) 
is enabled in u" , and finally recover,, is enabled in u'" since we also have u!" .rec r = true. 

We now show that the four state variables in A D are handled correctly by all steps in the 
execution fragment. 

rec s and rec r : 
As in the case a = recover s above it is easy to see that rec s and rec r are handled correctly. 

queue: 
Note that s' .good-ids C s. good-ids since issued r might be extended in the recover, step of 
A G . This leads to the observations that (a) either s' .current- queue = s. current- queue or 
s' .current- queue = e, and (b) s' .pos-pairs C s.pos-pairs so that s' .pos-list can be obtained 
from s. pos-list by deleting some elements. Also we have s.buf s = s' .buf s and s'.buf r = e. 
Thus, u' .queue can be obtained from u. queue by deleting some elements. By letting / be the 
indices of these elements, the elements are marked in the mark (I) step and then deleted in 
the drop(T) step. Thus, queue is handled correctly. 

status: 
We consider cases based on which condition in Part 3 is satisfied by s. 

Suppose s satisfies condition A. Then so does s' so we have u. status = u! ' .status = (false, OK) 
which is allowed by the execution fragment of A-q. 

If s satisfies condition B, then so does s' so we have u. status = u! .status = (?,0K). This is 
allowed by the execution fragment of A D provided that the element at the end of u. queue was 
not deleted in the drop(T) step but this is the case (that it was not deleted) since s.buf s = 
s'.buf, ^ e. 

Also, if s satisfies C(i) then so does s' (with s. current-flag = s' .current- flag), and this is 
allowed since s.buf s = s' -buf s = e and s. current- queue = s' .current- queue / £ so the last 
element of u. queue was not deleted in the drop(T) step. 

If s satisfies C(ii) then s.last s = s' .last s ^ ids(s.rs) = ids(s'.rs) (by Invariant 8.10 Part 2) 
and s.last s J^ nil (by Invariant 8.1 Part 2). Now, if s'.last s £ s' .good-ids then s' satisfies 
C(ii) so s. current- queue = s' .current- queue ^ e. As for case C(i) we see that this is allowed. 
If s'.last s ^ s' .good-ids then, since s' .last r = nil ^ s'.last s , s' satisfies condition C(vi), so 
u! .status = (false, OK) which is allowed by the execution fragment. 

Now, suppose s satisfies C(iii). Then Invariant 8.4 Part 7 implies s.last s $. s. good-ids which 
again implies s' .last s £ s' .good-ids since s' .good-ids C s. good-ids. Invariant 8.9 Part 3 im- 
plies (s.lasts, true) ^ s.rs, i.e., (s' .last s , true) ^ s'.rs. Thus, s' satisfies condition C(vi), so 
u. status = (false, OK) which is allowed by the execution fragment of A-q. 

If s satisfies C(iv) we consider two subcases. If (s.last s , true) ^ s.rs the case is similar to case 
C(iii) above. So assume (s .last s , true) £ s.rs. Then s' satisfies C(v) so u. status = (true, OK) 
and u' .status = (true, marked). This marking of status is allowed by mark(T) in A-q. Then 
total change of status is allowed is the element at the end of u! .queue is not deleted in the 
drop(T) step. Invariant 8.8 Part 2 implies that s. current- queue = s. pos-list = e so u. queue = e, 
thus there is no last element to be deleted. That suffices. 

If s satisfies C(v), then so does s' (Invariant 8.1 Part 2 implies s' .last s j^ nil = s'.last r ). Thus, 
s. status = s' .status = (true, marked). This is allowed since u. queue = e (so the last element of 
the queue cannot be deleted in the drop(T) step). To see why u. queue = e, we have from C(v) 
that s.buf s = £ and Invariants 8.8 Part 3 and 8.9 Part 3 imply s. current- queue = s. pos-list = 
s.buf r = e. That suffices. 
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If s satisfies condition C(vi) then so does s' (arguments as above). Thus, u. status = u! .status = 
(false, OK) which is allowed by the execution fragment. 

Finally, if s satisfies condition C(vii), then so does s' . We then have u. status = u' .status = 
(s.current-ack s , OK). This is easily seen to be allowed if s. current- ack s = false. So, assume 
s. current- ack s = true. Then having u. status = u! .status = (true, OK) is allowed provided the 
element at the end of u. queue is not deleted in the drop (I) step. A sufficient condition is 
to show u. queue = e. From C(vii) we have s.buf s = s. current- queue = e and Invariants 8.8 
Part 4 and 8.9 Part 4 imply s.pos-list = s.buf r = e. Thus, u. queue = e. 

a = prepare 

We consider two cases 

• s.mode r = rec 

We show that (u, mark(T), u 1 ) £ steps(Av), where / = \s.buf r \ + \s.pos-list\. This step (and 

execution fragment) clearly has the right trace (the empty trace). 

Since s.mode r = rec, we have u.rec r = true, so clearly mark(T) is enabled in u. 

We show that the four state variables of A D are handled correctly. 

rec s and rec r : 
We have s.mode s = idle and s' .mode s = needid, so u.rec s = u! .rec s = false which is as 
required by the definition of mark(T) in A-q. From the case hypothesis and the definition 
of prepare in A G , we have s.mode r = s' .mode r = rec, so u.rec r = u! .rec r = true which is 
also as required by the definition of mark(T). 

queue: 
Note that the element at the head of buf s is moved to current- ms g s in the prepare step of 
A G . From the definition of i? GD we have that this element goes from being OK when it was 
in buf s to being marked (s.mode r = rec implies, by Invariant 8.6 Part 2, s' .current- ok = 
false which in turn implies s' .current-flag = marked) when it is in current- queue. Neither 
buf r nor pos-list are changed in the prepare step. Thus, u! ' .queue is the same as u. queue 
except that the message at position \s.buf r \ + \s.pos-list\ is marked in u. queue and OK in 
u. queue. This is as required by the definition of mark(T) in A D . 

status: 
We have u. status = (?, OK) since s.buf s ^ e (from the precondition of the prepare step). 
Either state s' satisfies Condition 3B in which case u' .status = (?,0K) or s' satisfies 
condition C(i) in which case u! .status = (1, false). Both of these situations are allowed 
by the definition of mark(T) in A D . 

Thus, (u,mark(T),u r ) £ steps(Av). 

• s.mode r ^ rec 

Here we have s' .current-flag = OK from the effect of the prepare step, so with arguments 
similar to those used in the previous case it is easy to show show that u! = u. Thus, the 
execution fragment consisting of only the state u has the right trace. That suffices. 

a = chooseJd(id) 
We consider two cases 
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• s' .last s ^ s 1 .good-ids 

We show that (v, drop(I),v r ) G steps(Av), where / = {\s.buf r \ + \s.pos-list\}. This step 

(and finite execution fragment) clearly has the right trace (the empty trace). 

We show that the four state variables of A D are handled correctly. 

rec s and rec r : 
We have s.mode s = needid, s'.mode s = send, and s.mode r = s' .mode r which implies 
u.rec s = vl ' .rec s and u.rec r = vl '.rec r as required by the definition of drop(T) in A-q. 

queue: 
We note that s' .buf s = s.buf s , s' .pos-list = s.pos-list, and s'.buf r = s.buf r . However, 
s' .current- queue = e but s. current- queue ^ e. Thus, u' .queue can be obtained from 
u! ' .queue by deleting the element that corresponds to s. current- queue. From the case 
hypothesis and the definition of chooseJd(id) in A G we have s.good s <£. s. good-ids (note, 
s' .good-ids = s. good-ids). Now, since s.mode s = needid, Invariant 8.6 Part 5 implies 
s.current-ok = false which again implies s. current- flag = marked. Thus, the flag of 
the element s. current- queue is marked. Now, s. current- queue corresponds to position 
\s.buf r \ + \s.pos-list\ in u. queue. Since this element is marked, drop(T) is enabled in v. 
Furthermore, it is easy to see that queue is handled correctly. 

status: 
If s.buf s ^ e then also s'.buf s j^ e so both s and s' satisfy condition 3B. Thus, v. status = 
u! ' .status = (?, OK). This is allowed by drop(T) since the element at the end of queue is not 
deleted because s.buf s = s'.buf s j^ e. Now, if s.buf s = e, s satisfies condition 3C(i), i.e., 
u. status = (?, false) since s' .current-flag = marked (see the discussion for queue above). 
We show that s' satisfies 3C(vi) such that u' .status = (false, OK) which is allowed by 
drop(T). This amounts to showing s' .last s j^ s' .last r and (s 1 .last s , true) ^ s' .rs since the 
case hypothesis and the definition of chooseJd(id) give us the rest: 

From the definition of choose Jd(id) we get id = s'.last s G s.good s . Invariant 8.2 Part 1 
then implies s' .last s (£ s.used s . Also, s' .last s j^ nil by Invariant 8.1 Part 2. Invariant 8.4 
Part 8 implies (since s.last r = s'.last r ) that s' .last r = nil or s'.last r G s.used s . Thus, 
we get s' .lasts i 1 s' .last r as required. Also, since s' .last s £ s.used s , Invariant 8.4 Part 6 
implies (s' .last s , true) ^ s.rs = s' .rs as required. 

Thus, (u, drop(I),u r ) G steps(Av). 

• s'.lastg G s' .good-ids 

We show vl = u by comparing the four state variables of A D in u and ul . The execution 
fragment u then has the right properties. 
rec s and rec r : 

We have s.mode s = needid, s' .mode s = send, and s.mode r = s' .mode r which implies 

u.rec s = u'.reCg and u.rec r = u'.rec r as required. 
queue: 

Her we have s' .current- queue = s. current- queue. Then it is easy to see that vl . queue = 

v.qveve. 
statvs: 

We have that either both s and s' satisfy condition 3B, or s satisfies 3C(i) and s' satisfies 

3C(ii). In both cases u' .status = u. status as required. 

a = send_pkt sr (m, id) 

We show u = vl by comparing the four state variables of A D in u and v! . The execution fragment 
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u then has the right properties. 

rec s and rec r : 

We have s.mode s = s'.mode s and s.mode r = s' .mode r which implies u.rec s = u' .rec s and 

u.rec r = u' .rec r as required. 
queue: 

We have s' .buf s = s.buf s , s' .current- queue = s. current- queue and s'.buf r = s.buf r . The 

send_pkt sr (m, id) step might add some copies of (to, last s ) to the channel sr. However, since 

mode s = send, this does not change the value of pos-pairs, so s'.pos-list = s.pos-list. Thus, 

u' . queue = u. queue, 
status: 

Whatever condition in Part 3 of Definition 8.13 s satisfies, s' satisfies the same. This implies 

u' .status = u. status. 

a = receive _pkt sr (m, id) 

Since this step may remove the last copy of (to, id) from the channel sr (a multiset), we generally 
have s' .pos-pairs C s.pos-pairs. (Note, that the ordering of pairs is unchanged since used s is 
unchanged). Also, we have s'.buf s = s.buf s . 

We consider cases. 

• s.mode r = rec 

In this case the only change in the step of A G is the above mentioned change of the channel 

sr. We show (u, drop(I),u') £ steps(Av), where / is defined below. This step (and finite 

execution fragment) clearly has the right trace (the empty trace). 

J if (to, id) <£ s.pos-list V (to, id) £ s'.pos-list 

1 {\s.buf r \ + i} otherwise, where s.pos-list[i] = (to, id) 

Clearly drop(I) is enabled in u (elements in pos-list correspond to marked elements in 

u. queue). We show that all four state variables of A D are handled correctly. 

rec s and rec r : 
It is easy to see that we have u' .rec s = u.rec s and u' .rec r = u.rec r (= false) as required 
by the definition of drop(T) in A-q. 

queue: 
We have s' .current- queue = s. current- queue, s 1 .buf s = s.buf s , and s'.buf r = s.buf r . 
Then the definition of / implies that queue is handled as required by the definition of 
drop(T) in A-q. 

status: 
We have from Part 3 that u! .status = u. status since none of the variables occurring in 
Part 3 are changed in the step of A G . This is allowed by drop(T) provided either the value 
of status is (false, OK) or the element at the end of queue was not deleted. For conditions 
A, B, C(i), C(ii), and C(vi) this is obvious. For C(ii) and C(iii) we get from Invariant 8.8 
Part 2 that pos-list = e, so u'. queue = u. queue which suffices. For C(iv) Invariant 8.8 
Part 3 implies in the same way that u! .queue = u. queue. Finally, for C(vii) only the case 
where current-ack s = true is of interest. But again we get u'. queue = u. queue. This time 
because of Invariant 8.8 Part 4. 

• s.mode r ^ rec 

We consider cases based on the if-statement in the definition of receive _pkt sr (m, id) in 
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— id G s.good r 

This implies id G s. good-ids. 

We show that (u, drop(T), u" , unmark(I'), u 1 ), where u" , I, and I' are defined below, is 

a finite execution fragment of A-q. The execution fragment clearly has the right trace 

(the empty trace). 

rec s and rec r : 
It is easy to see that we have u' .rec s = u.rec s and u' .rec r = u.rec r (j^ false). Define 
u".rec s = u.rec s and u" .rec r = u.rec r . Leaving rec s and rec r unchanged is as required 
by the definitions of drop(T) and unmark(I') in A-q. 

queue: 
Since id G s. good-ids we have that (to, id) G s.pos-pairs U s. current-pair where, by 
definition, s.pos-pairs and s. current-pair are disjoint (all ids are different). 
First, assume (to, id) G s.pos-pairs. The effect of receiving this pair is to remove 
from good r (and thus from good-ids) all ids less than or equal id. This corresponds 
to removing an initial prefix of s.pos-list up to and including (to, id). And at the same 
time m is moved to the end of buf r . Invariant 8.8 Part I and the fact that s.pos-pairs 
and s. current-pair are disjoint gives us s. current- queue = s' .current- queue. Thus, 
u! .queue can be obtained from u. queue by deleting some elements corresponding to 
the initial prefix of s.pos-list and changing the flag of the element corresponding to 
(to, id) to OK (since now this element is in buf r ). Then clearly / and I' can be defined 
so that the change in queue is as required by the definition on drop(T) and drop(I') 
in A D 

If (to, id) G s. current-pair a similar argument gives us that u! .queue can be obtained 
from u. queue by deleting all elements corresponding to elements in s.pos-list and 
setting the flag of the element corresponding to s. current- queue to OK. In this case 
s' .current- queue = e. Again, / and I' can be defined. 

status: 
If s satisfies condition A, B, or C(i) of Part 3 then so does s' . This is allowed by 
drop(T) and unmark(I') since either u! ' .status = (false, OK) or the element at the end 
of u. queue was not deleted. 

If s satisfies C(ii) then s' satisfies either C(ii) or C(iii). In both cases the element 
end of u. queue was not deleted (as required) and the possible flag change of status 
to OK is allowed by unmark(I'). 

s cannot satisfy C(iii), C(iv), or C(v) since then Invariant 8.8 Parts 2 and 3 would 
imply that no packets in s.sr could be received successfully which contradicts the 
assumption that id G s.good r . 

If s satisfies C(vi) then so does s' . This is allowed by drop(T) and unmark(I') in A-q. 
Finally, assume s satisfies C(vii). Then s. current- ack s = false since we otherwise 
would have a contradiction with Invariant 8.8 Part 4. Thus, u' .status = u. status = 
(false, OK) which is allowed by drop(T) and unmark(I) in A-q. 

— id £ s.good r 

Then (u, drop(T),u') G steps(Av). 

The proof is similar to the proof in case s.mode r = rec above. 

a = send_pkt rs (id,b) 

Here it is easy to see that that u = u! '. That suffices since then the execution fragment u of A D 
has the right properties. 
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a = receive _pkt rs (id ,b) 
We consider cases 

• s.mode s = send A s.last s = id 

We show that (u, drop($), u", unmark(9), u'), where u" is defined below, is a finite execution 

fragment of A-q. The execution fragment clearly has the right trace (the empty trace). 

Define u".rec s = u.rec s 
u".rec r = u.rec r 
u". queue = u.queue r 

We will define u" . status below when we consider cases. 

First note that drop($) and unmark(9) are enabled in u and u" , respectively, since these 

actions have no precondition. We show that all four state variables of A D are handled 

correctly by the two steps in the execution fragment. 

rec s and rec r : 
We obviously have u' .rec s = u.rec s = u" .rec s and u' .rec r = u.rec r = u".rec r . Leaving 
rec s and rec r unchanged is as required by the definitions of drop($) and unmark(9) in 
A D . 

queue: 
First observe that s'.buf s = s.buf s and s'.buf r = s.buf r . Since (s.last s ,b) £ s.rs, In- 
variant 8.10 Part 2 implies that s.last s ^ s. good-ids thus s. current- queue = e. Also 
s' .current- queue = e since s'.mode s = idle. The receive _pkt rs (id,b) step in A G might 
cause (s.current-msg s , s.last s ) to be added to pos-pairs (the pair might have been put onto 
sr but did not figure in s. pos-pairs because s.mode s = send). (s.current-msg s ,s.last s ) 
is, however, not added to pos-pairs since s.last s ^ s. good-ids as explained above. Thus, 
we have s' .pos-list = s.pos-list. All in ah we have u! .queue = u. queue. Leaving queue 
unchanged is as required by the definitions of drop($) and unmark(9) in A-q. 

status: 
State s cannot satisfy conditions A, C(i), and C(vii) of Part 3 because s.mode s = send. 
If s satisfies condition B then so does s. By defining u" . status = u. status we have that 
status is unchanged in the execution fragment which is allowed by the definitions of 
drop($) and unmark(ty) in A-q. 

State s cannot satisfy condition C(ii) since s' .last s ^ s. good-ids as explained above. 
Also, s cannot satisfy condition C(iii). If b = true then Invariant 8.9 Part 3 implies 
s.buf r = e which contradicts condition C(iii). If b = false then Invariant 8.11 Part 2 
implies s.last s ^ s.last r which is also a contradiction. 

Assume s satisfies condition C(vi). Then u. status = (true, OK). From the discussion in 
the previous condition C(iii), we have b = true. Now, s. current- ack s = b = true and 
s'.mode s = idle so s' satisfies condition C(vii). Thus, also u! .status = (true, OK). By 
defining u" .status = (true, OK) we have that status is unchanges in the execution fragment 
which is allowed by the definitions of drop($) and unmark(9) in A D . 
Next, assume s satisfies condition C(v). Then u. status = (true, marked). If b = true 
then by condition C(vii) we have u! .status = (true, OK). This is allowed by drop($) 
and unmark(9) by defining u" .status = u. status. If b = false then, again, by condition 
C(vii) u' .status = (false, OK) which is allowed by drop($) and unmark(9) by defining 
u" .status = u! ' .status. 
Finally, if s satisfies C(vi) then b must be false since the condition states (s.last s , true) ^ 
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s.rs. Thus, u. status = (false, OK) and by condition C(vii) also vl .status = (false, OK). 
So, by denning u" .status = u. status, we leave status unchanged, which is allowed by the 
definition of drop((j)) and vnmark((j)) in A-q. 

• s.mode s ^ send V s.last s ^ id 

Then the only difference between s' and s is that s' has one less copy of (to, id) in the 

channel rs. 

We show that vl = u. Then the execution fragment u clearly has the right properties. We 

check the state variables of A-q. 

rec s , rec r , and queue: 
Obviously rec s , rec r , and queue are the same in u and vl . 

status: 
No matter which condition in Part 3 s satisfies, s' satisfies the same condition, thus, 
vl .status = v.statvs. The only interesting case is if s satisfies condition C(v). The 
condition states that s.mode s = send, so the case hypothesis gives us that id j^ s.last s . 
Thus, (m,id) ^ (s. last s , true). Then, since (s .last s , true) £ s.rs by condition C(v) we 
also have (s' .last s , true) £ s' .rs. Thus, also s' satisfies condition C(v). 

a £ {shrink _good s (ids) , grow _good s (ids)} 

Changing good s clearly does not change anything in the mapping Rqd- Thus, vl = v. Then the 
finite execution fragment u clearly has the right properties. 

a = shrink _good r (ids) 

This step removes elements from good r , thus, s' .good-ids C s. good-ids. 
We consider cases 

• s. current- ok = false 

We show (u, drop(I), u') £ steps(Av), where / is defined below. Clearly the step (and finite 

execution fragment) has the right trace (the empty trace). 

rec s and rec r : 
We clearly have vl .rec s = v.rec s and v! .rec r = v.rec r as required by the definition of 
drop(I) in A-q. 

qveve: 
By shrinking good-ids we might remove elements from pos-list and cvrrent- qveve. But, 
the elements in v. qveve corresponding to these elements are all marked (for cvrrent-qveve 
remember that s. current- ok = false implies s. current-flag = marked), so by defining / to 
be the indices of these elements we both get that drop(T) is enabled in u and that queue 
is handled correctly. 

status: 
Assume s satisfies condition A, B, or C(i) in Part 3. Then so does s' , so vl .status = 
v.statvs. This is allowed by drop(T) since in the cases (B and C(i)) where statvs ^ 
(false, OK) the element at the end of v. qveve is not deleted. 

If s satisfies C(ii) then either s' also satisfies C(ii) which is allowed since the element at 
the end of v. qveve (which corresponds to cvrrent-qveve is no deleted), or s' satisfies C(vi) 
(it cannot satisfy C(iii)-C(v) because of Invariant 8.4 Part 7 and Invariant 8.10 Part 2) 
which is allowed by drop(T) since s. current- ok = false implies u. status. flag = marked. 
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If s satisfies C(iii)-C(v), then so does s' , so u'. status = u. status. But this is allowed by 
since we in these cases have u' .queue = u. queue. 

If s satisfies C(v) then so does s' . In this situation the element at the end of u. queue 
might have been deleted (corresponding to elements being removed from pos-list, but 
since status = (false, OK), status is handled correctly. 

Finally, if s satisfies C(vii) then so does s' . If current- ack s = false then u' .status = 
u. status = (false, OK) which is allowed by drop(T). If current- ack s = true then Invari- 
ant 8.8 Part 4 implies that u! ' .queue = u. queue. Thus the element at the end of u. queue 
is not deleted, so it is permitted to leave status unchanged at (true, OK). 
Thus, (u, drop(I),u r ) £ steps(Av). 
• s. current- ok = true 

Again we claim that (u, drop(T),u') £ steps(Av). 

The argument is similar to the previous case except that since current-ok = true, we have 
current-flag = OK, so it is not allowed to lose an element in current-queue or lose status in 
case C(ii). However, the precondition to shrink _good r ( ids) ensures that these requirements 
are met. 

a = grow _good r ( ids) 

The precondition ids n issued r = and the effect of grow _good r ( ids) ensures that s' .good-ids = 
s. good-ids. 

Then it is easy to see that u' = u. Thus, the execution fragment u has the right properties. 
a = cleanup r 



We show that u! = u. Then the execution fragment u has the right properties. We consider the 
four state variables of A-q. 

rec s , rec r , and queue: 
We obviously have u! ' .rec s = u.rec s , u! .rec r = u.rec r , and u! .queue = u. queue. 

status: 
Here the only problem would be that last r is changed. The variable last r only occurs in the 
conditions of Part 3 when mode s = send, so assume s.mode s = send. Then s.last s ^ s.last r 
from the precondition. Since also s' .mode s = send, Invariant 8.1 Part 2 gives us s' .last s ^ nil. 
Now, since s' .last r = nil, we also have s'.last s ^ s'.last r . It is now easy to see that whatever 
condition in Part 3 that s satisfies, s' satisfies the same condition. Thus, u! .status = u. status. 

This concludes the simulation proof. 



We can now prove that A G safely implements A-q. 

Theorem 8.15 (A G safely implements A D ) 

A G C s A D 

Proof 

Directly by Lemma 8.14 and the soundness of refinement mappings with respect to the safe 
implementation relation (Lemma 5.8). 
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8.5.3 Correctness 

We do not give a formal proof that G correctly implements D. Instead we provide some intuitive 
justification and refer to the formal proof that H correctly implements G which is similar. 

We first give two key lemmas about the live executions of G. We use our temporal logic to 
state the results but we only give informal proofs. These lemmas are then use to prove that G 
correctly implements D. 

The first lemma says that if we are in a situation where no crashes occur in the future, then 
whenever mode s = send, eventually the sender will move to idle mode. Note, that due to 
previous crashes the sender and the receiver do not necessarily agree on what identifiers to use. 
So, in some situations, the sender moves to idle mode because of negative acknowledgements 
from the receiver, in which case the current message might have been lost. 

Lemma 8.16 

Lq \= n(n(mode s ^ rec A mode r ^ rec) =>■ (mode s = send^ mode s = idle)) 

Proof 

Assume: 1. a e L G 

2. o?! is an arbitrary suffix of a 

3. cii |= 0(mode s ^ rec A mode r ^ rec) 

4. a 2 is an arbitrary suffix of o^. 

5. a 2 \= mode s = send 
Prove: a 2 \= <>(mode s = idle) 

We consider what happens in a 2 . Note that since mode s = send and no crashes occur, mode s will 
stay send unless one of the actions receive _pkt rs (last s , true) or receive _pkt rs (last s , false) occurs, 
in which case mode s changes to idle. Furthermore, while mode s = send, last s is unchanged 
and the sender keeps performing send_pkt sr (m, last s ). The latter is due to weak fairness to the 
set CG iS /ri containing send_pkt sr (m, last s ) since all other actions in the set are never enabled. 
Now, it suffices to show that eventually receive _pkt rs (last s , true) or receive _pkt rs (last s , false) 
occurs. 

(1)1. Case: a 2 \= last s ^ good-ids 

(2)1. Case: a 2 \= (last s ,true) G rs 

Proof: By the fairness of the rs channel, eventually a receive _pkt rs (last s , true) 
action occurs. That suffices. 

(2)2. Case: a 2 \= (last s ,true) ^ rs A last s = last r 

Proof: In this situation the receiver has received the current packet but not yet 
sent positive acknowledgements. 

If buf r ^ e, weak fairness to the set CQ iS / r 3 implies that eventually buf r = e. 
Furthermore, buf r stays empty as long as the sender does not leave send mode. 
Now, when buf r = e, we have mode r £ {idle,ack}. If mode r = idle, it changes 
to ack when a receive _pkt sr (m, last s ) occurs. Since the sender keeps on sending 
(to, last s ) packets, some will continue to get through (by channel liveness), so if 
mode r = idle, eventually mode r = ack. When mode r = ack the receiver will 
continue to perform send_pkt rs (last r , true). Such a step can, however, change mode r 
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to idle, but from above we have that eventually mode r = ack again and new 
send jpkt rs (last r , true) steps will be performed. 

By channel liveness, eventually receive _pkt rs (last r , true) occurs, and since last r = 
last s , the result follows. 

(2)3. Case: a 2 \= (last s , true) ^ rs A last s ^ last r 

Proof: This case actually describes two situations: in the first situation the current 
packet never has been and never can be successfully received by the receiver. In the 
second situation the current packet has been successfully received but the receiver 
crashed before placing a positive acknowledgement in the channel. Both situations 
are dealt with in the same way. 

Every time a receive _pkt sr (m, last s ) step occurs, last s is placed into nack-buf r , which 
leads to a send_pkt rs (last s , false) action (by fairness to the send _pkt rs (id , false) ac- 
tions). Since receive _pkt sr (m, last s ) continues to occur, send _pkt rs (last s , false) con- 
tinues to occur. By channel liveness eventually receive _pkt rs (last s , false) occurs. 
That suffices. 

(2)4. Q.E.D. 

Proof: By the exhaustive cases (2)l-(2)3. 

(1)2. Case: a 2 \= last s £ good-ids 

Proof: Then either always last s ^ good r or eventually last s £ good r . 

If always last s ^ good r , then the situation is as described by the case above where a 2 \= 

last s ^ good-ids A (last s , true) ^ rs A last s j^ last r . 

If eventually last r £ good r , then still the receiver might have issued send_pkt rs (last s , false) 

actions in the meantime, and these packets could have gotten through to the sender in 

which case the result follows. So, if this is not the case, eventually (to, last s ) is successfully 

received in which case the situation is as described by the case above where a 2 \= last s ^ 

good-ids A (last s , true) ^ rs A last s = last r . 

(1)3. Q.E.D. 

Proof: By the exhaustive cases (1)1— {1)2. 

The result now follows from Lemma 3.5 and the definition of ~~». 



The next lemma states that if there are elements in the four parts that make up the abstraction 
of a queue in A D (cf. Definition 8.13), then eventually a receive _msg(m) action occurs. Thus, 
messages cannot be blocked in the G protocol. 

Below we use the notation receive _msg(_) to denote the set {receive _msg(m) \ m £ Msg}. 

Lemma 8.17 

L G \= n(n(mode s ^ rec A mode r ^ rec A 

(buf r /£ V pos-list /fV current-queue /eV buf s j^ e)) ==?■ O (receive _msg(_))) 

Proof 

Assume: 1. a £ L G 

2. o?! is an arbitrary suffix of a 
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3. cii |= 0(mode s ^ rec A mode r ^ rec A 

(buf r /eV pos-Ust /eV current-queue /eV buf s ^ e)) 
Prove: a x |= O (receive _msg(_)) 

(1)1. Case: a x |= buf r ^ e 

Proof: The result follows by weak fairness to the set CQ iS / r 3- 

(1)2. Case: a x |= pos-Ust ^ e 

Proof: The packets in pos-Ust represent "old" packets in the sr channel that might still 
successfully be received by the receiver since the packets all have identifiers in good-ids. 
Due to channel liveness (the weak fairness requirement on each packet), the packets in 
pos-Ust will eventually be received. Two situations can occur. 

First, a packet from pos-Ust is accepted because it has an identifier in good r at the time 
it is received. In this case the message of the packet is placed in buf r , and (1)1 gives the 
result. 

Second, no packets from pos-Ust are ever accepted. Then eventually pos-Ust becomes 
empty (no new packets can be added to pos-Ust since no crashes occur, and each packet in 
pos-Ust has only finitely many copies in sr and these will eventually all be received (but 
not accepted) and thus removed from sr). However, then one of the other disjuncts in 
Part 3 of the Assumption must be satisfied, so we refer to the other cases. 

(1)3. Case: a x \= current-queue ^ e 

(2)1. Case: a x \= current-ok = true 

Proof: In this situation the sender either will (because of liveness on chooseJd(id) 
actions) or has chosen a current identifier last s which is in good r (and stays there until 
the current packet is accepted). The sender will send the current packet repeatedly, 
so by channel liveness it will eventually be received and thus accepted. The message 
will be placed into buf r and Case (1)1 gives the result. 

(2)2. Case: a x \= current-ok = false 

Proof: Here, due to the fact that the receiver was crashed during the last prepare 
action, the sender may choose an identifier which is not in good r . The sender will 
send the current packet repeatedly, and two things can happen. 
Either, the current packet will be accepted at some point by the receiver because 
last s was in good-ids initially and has been added to good r in the meantime. Then 
the message is placed in buf r and Case (1)1 gives the result. 

Or, the current packet will never be accepted by the receiver. However, since the 
current packet will keep on being received by the receiver (due to channel liveness), 
the receiver will keep on issuing negative acknowledgements for the current iden- 
tifier last s . By channel liveness such a negative acknowledgement will eventually 
get through and move the sender to idle mode. This has the effect of emptying 
current- queue , so one of the other disjuncts in Part 3 of the Assumption must be 
satisfied, so we refer to the other cases. 

(2)3. Q.E.D. 

Proof: By exhaustive cases (2)1 and (2)2. 

(1)4. Case: a x |= buf s ^ e 
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Proof: By Fairness to the set C GiS / r i, eventually a prepare action will occur. Since 
mode r j^ rec, the sender ends up in needid mode with current-ok = true. The result is 
now implied by the first subcase of Case (1)3. 

(1)5. Q.E.D. 

Proof: By exhaustive cases (1)1-(1)4. 

The result now follows from Lemma 3.5. 



With the two lemmas above we can prove the main ingredient in our liveness proofs, namely, if 
a is a live execution of G and a' is an execution of A D such that (a, a') £ -Rgd, then a' is live. 
We prove the result by contradiction (cf. the similar lemma (Lemma 7.17) in the proof that D 
correctly implements S). Thus, we assume that a' is not live and then derive a contradiction 
with the fact that a is live. 

Lemma 8.18 

Let a £ exec(A G ) and a' £ exec(An) be arbitrary executions of A G and A-q, respectively, with 
(a, a') £ -Rgd- Assume a \= Q G . Then a' \= Q D . 

Proof 

We prove the conjecture by contradiction. Thus, 

Assume: a' \£ Q B 
Prove: False 

(1)1. a' \= -i WF(Cd,i, rec s = false A rec r = false) V 
-i WF{C-D t 2i rec s = false A rec r = false) V 

^WF(c Di3 )y 

^WF(C DA ) 
Proof: Immediate by the Assumption, definition of Q D , and the Boolean operators. 

(1)2. Case: a' \= -■ WF(C D ,i, rec s = false A rec r = false) 

(2)1. a' \= On( status. stat £ Bool A rec s = false A rec r = false) A 
On-i({acfc(£rwe), ack(false)}) 

Proof: By Assumption (1), the definitions of WF and Cd,i, and the fact that ack(b) 
actions are enabled when status. stat £ Bool. 

(2)2. a \= On(mo<ie s ^ rec A mode r ^ rec A buf s = e A 

((mode s = send A last s = last r A buf r = e) V 
(mode s = send A last s ^ last r A (last s , true) £ rs) V 
(mode s = send A last s ^ last r A (last s , true) ^ rs A last s ^ good-ids) V 
(mode s = idle))) A 
On-i({acfc(£rwe), ack(false)}) 

Proof: By (2)1, Lemmas 5.10 and 5.11, the definition of -Rqd, an d the fact that 
ack(b) actions are external. 

(2)3. a \= <>n(mode s = idle A buf s = e) A <>n^({ack(true), ack(false)}) 
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Proof: By (2)2, Lemma 8.16, and the fact that when mode s becomes idle, it stays 
idle since no crashes occur and no prepare action can occur (since buf s = e forever). 

(2)4. a \= <>n(mode s = idle A buf s = e) A OD-.(C G , s / r i) 

Proof: By (2)3 since the ack(b) actions are in CG,s/ri an d no other actions in CG,s/ri 
can occur when mode s = idle and buf s = e. 

(2)5. a\=^WF(C G ,, /rl ) 

Proof: By (2)4, the definition of WF, and the fact that mode s = idle A buf s = s 
implies the enabling condition of CG,s/ri- 

(2)6. Q.E.D. 

Proof: (2)5 contradicts the assumption that a is live. 

(1)3. Case: a' \= -iWF(Cn,2,rec s = false A rec r = false) 

(2)1. a' \= C'O^queue /eA rec s = false A rec r = false) A On-i(rece«ue_rasg(_)) 

Proof: By Assumption (1), the definitions of WF and Cd,2 5 an( i the fact that Cd,2 
is enabled when queue ^ e. 

(2)2. a \= On(mo<ie s ^ rec A mode r ^ rec A 

(buf r /fV pos-list /eV current-queue /eV buf s ^ e)) A 
On-i(rece«ue_rasg(_)) 

Proof: By (2)1, Lemmas 5.10 and 5.11, the definition of -Rqd, an d the fact that 
receive _msg(m) actions are external. 

(2)3. Q.E.D. 

Proof: (2)2 contradicts Lemma 8.17. 
(1)4. Case: a 1 \= -.WF(C D , 3 ) 

(2)1. a' \= On(rec s = true) A On-i(recouer s ) 

Proof: By expanding WF in Assumption (1). 

(2)2. a \= On(mo<ie s = rec) A On-i(recouer s ) 

Proof: By (2)1, Lemmas 5.10 and 5.11, the definition of -Rqd, and the fact that 
recover s is external. 

(2)3. a \= <>n(mode s = rec) A OD-.(C G , s / r i) 

Proof: From (2)2 since recover s £ CG,s/ri an( i none of the other actions in CG,s/ri 
are enabled when mode s = rec. 

(2)4. a^^WF(C GtS/rl ) 

Proof: From (2)3, the definition of WF and the fact that mode s = rec implies the 
enabling condition for CG,s/ri- 

(2)5. Q.E.D. 

Proof: (2)4 contradicts the assumption that a is live. 

(1)5. Case: a' \= -.WF(C D , 4 ) 

Proof: Similar to (1)4. 
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(1)6. Q.E.D. 

Proof: By (1)1 and the exhaustive cases (1)2— (1)5. 

■ 

Finally, we can show that G correctly implements D. 

Theorem 8.19 

GC L D 

Proof 

Immediate by Lemmas 8.14, 8.18, and 5.9. 



We are now ready to consider the two low-level protocols: the Five-Packet Handshake Protocol 
H and the Clock-Based Protocol C. The next chapter deals with H and then, in Chapter 10, we 
consider C. 



Chapter 9 

The Five-Packet Handshake Protocol 

H 



We have now reached the point where we can present the first of the low-level protocols we 
consider, namely, the Five-Packet Handshake Protocol of Belsnes [Bel76], which in this work is 
denoted by H. The H protocol is entirely distributed: it consists of a sender process, a receiver 
process, and two channels as depicted in Figure 9.1. 

H is the standard protocol for setting up network connections, used in TCP, ISO TP-4, 
and many other transport protocols. During normal operation it goes through three phases (cf. 
Figure 9.2): 

Agree on identifier: The sender picks an identifier, called jd to distinguish it from the identi- 
fier id used below for the actual communication of the message, and sends it in a needid 
packet. On receipt of this packet, the receiver pairs jd with a new identifier id, and sends 
the pair (jd, id) back to the sender. On receipt of this pair, the sender knows that it should 
associate id to the current message. 

Send and acknowledge: This phase is similar to the send/acknowledge phase of G. The 
sender sends the current packet in send packets, and the receiver acknowledges the receipt 
with ack packets. 

Clean up: When the sender has received the acknowledgement, it issues a done packet in order 
to inform the receiver that it may forget about the last message accepted. 



send jmsg(m) 


Sender H s 


send_pkt ST (p) 




receive _pkt sr (p) 


Receiver H r 


receive jms gym) 


ack(b) 


Channel Ch sr 


' 


receive _pkt r s (p) 


send_pkt TS (p) 




crash s 




crash r 




Channel Ch„ 



















Figure 9.1 

The Five-Packet Handshake Protocol H. 
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Sen 




Agree on identifier 



Send and acknowledge 



Clean up 



Figure 9.2 

The phases of H. 



Below we look at different abnormal situations which can arise due to crashes. H is sometimes 
called the three-way handshake, because only three packet types are needed for message delivery 
(the first three in Figure 9.2). 

The rest of this chapter is organized as follows. Section 9.1 considers the channels in H. Then, 
in Section 9.2, we present the sender and receiver processes, and in Section 9.3 we show how H 
is obtained from the subprocesses. Finally, in Section 9.4 we prove that H correctly implements 
G. 

9.1 The Channels 

We use the same channels as at the G level (cf. Section 8.2). However, the actual packets that 
are communicated are different in H and G. This only means that in H we should instantiate 
the set P of possible packets with a different set of packets than in G. 

9.2 The Sender and the Receiver 

In this section we specify the sender and receiver processes as two live I/O automata H s = 
(Ah, s ,-£h,s) an( i H r = (A h ,d Ln ir ), respectively. In the subsection defining steps(An s ) and 
stepslAiir) below, we provide more intuition about the H protocol. 



9.2.1 States and Start States 

The sender and receiver processes both contain a stable set of used identifiers. This means that 
these sets should survive crashes when implemented on a physical machine. Specifically, we 
model the stability of a state variable by not resetting it on recovery. 

For instance, the stable set issued r includes all identifiers ever considered "good" by the 
receiver. Thus, every time the receiver issues a new identifier id (to be sent to the sender in an 
accept packet) this should be remembered forever by adding id to issued r . This is an expensive 
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solution since it requires updates to a stable variable for every message. The fix to this problem 
would be to introduce a normal volatile (i.e., non-stable) variable unused r which is filled with 
new (i.e., non-issued r ) identifiers now and then in steps that update the stable variable issued r 
by adding these new identifiers. Then, for each message, the identifier can be chosen from 
unused r and no updates to stable variables need to be performed. Of course, unused r will be 
lost in crashes, so it should not be kept too big, but on the other side, the less identifiers it 
contains, the more frequently updates to the stable variable issued r needs to be performed. 
This is a typical trade-off. 

We do not consider the addition of the variable unused r to H r , but the changes needed are 
both few and simple. 

Sender 

The sender chooses identifiers jd from the set JD. This set is similar to the set ID introduced in 
Section 8.1. We call it JD to distinguish it from ID, which are identifiers chosen by the receiver. 



Variable 




Type 


Initially 


Description 


mode s 




{idle, 
needid, 
send, rec} 


idle 


The mode of the sender. Similar to the 
mode of the sender at the G level. 


buf s 




Msg* 


e 


The list of messages at the sender side. 


jd s 




JD U {nil} 


nil 


The jd chosen for the current message 
by the sender. 


jd-used s 


S 


V{JD) 





A set including all the jds ever used by 
the sender. 


id s 




ID U {nil} 


nil 


The id received from the receiver. Sim- 
ilar to last s a t the G level. 


current- ms g s 




Msg U {nil} 


nil 


The message about to be sent to the 
receiver. Same as at the G level. 


current- ack s 




Bool 


false 


Acknowledgement from the receiver. 
Same as at the G level. 


done-buf s 




ID* 


e 


A list of ids for which the sender must 
issue an done packet to the receiver. 


S = Stable 
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Receiver 



Variable 




Type 


Initially 


Description 


mode r 




{idle, 
accept, 
rcvd, ack, 
rec} 


idle 


The mode of the receiver. Similar to 
the receiver mode at the G level, except 
for the extra accept mode. In mode 
accept the receiver is sending accept 
packets, which contain the chosen mes- 
sage identifier. 


buf r 




Msg* 


e 


The list of messages accepted. Same as 
at the G level. 


jd r 




ID U {nil} 


nil 


The jd received from the receiver. 


id r 




ID U {nil} 


nil 


The id chosen for the received jd. 


last r 




ID U {nil} 


nil 


This variable contains (when non-nil) 
the id of the last packet accepted. 


issued r 


S 


V{ID) 


e 


A set including all ids ever issued by 
the receiver. Same as at the G level. 


nack-buf r 




ID* 


e 


A list of ids for which the receiver 
will issue negative acknowledgements. 
Same as at the G level. 


S = Stable 



9.2.2 Actions 

Sender 

Input: 

send_msg(m), m £ Msg 

crash s 

receive_pkt rs (accept, jd, id), jd £ JD, id £ ID 

receive _pkt rs (ack, id, b), id £ ID, b £ Bool 
Output: 

ack(b), b £ Bool 

recover., 

send _pkt ST (needid, jd), jd £ JD 

send _pkt sr (send, m, id), m £ Msg, id £ ID 

send _pkt sr (done, id), id £ ID 
Internal: 

choose _jd(jd), jd £ JD 

grow-jd-used s (jds), jds £ V(JD) 



Receiver 

Input: 

crash r 

receive _pkt sr (needid, jd), jd £ JD 

receive _pkt sr (send, m, id), m £ Msg, id £ ID 

receive_pkt sr (done, id), id £ ID 
Output: 

receive_msg(m), m £ Msg 

recover r 

send_pkt TS (accept, jd, id), jd £ JD, id £ ID 
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send_pkt TS (ack, id, b), id £ ID, b £ Bool 
Internal: 

grow-issued r (ids), ids £ V(ID) 

9.2.3 Steps 

We now formally define steps(An s ) and steps^A^,.). As at the G level we increase readability 
by listing the definition of steps(An s ) in the left column and the definition of steps^A^,.) in the 
right, and by aligning send-pkt with the corresponding receive-pkt. 
After the definition, we provide more intuition about how H works. 

send_msg(m) 
Effect: 

if mode s ^ rec then 
buf s := buf s ~ m 

choose _jd(jd) 
Precondition: 

mode s = idle A buf s /e A 

jd (ji jd-used s 
Effect: 

mode s : = needid 

jd s := jd 

jd-used s := jd-used s U {jd} 

current-msg s := head(buf s ) 

buf s := tail(buf s ) 



send_pkt sr (needid, jd) 
Precondition: 

mode s = needid A jd s = jd 
Effect: 



receive-pkt sr (needid, jd) 
Effect: " 

if mode r = idle then 
mode r := accept 
choose an id not in issued r 
jd r := jd 
id r := id 
issued r := issued r U {id} 



receive-pkt rs (accept, jd, id) 
Effect: 

if mode s ^ rec then 

if mode s = needid A jd s = jd then 
mode s := send 
id s := id 
else if id s j^ id then 

done-buf := done-buf ~ id 



send_pkt rs (accept, jd, id) 
Precondition: 

mode r = accept A jd r 
Effect: 
none 



jd A id r = id 



send _pkt sr (send, m, id) 
Precondition: 

mode s = send A current-msg s 
Effect: 



receive _pkt sr (send, m, id) 
Effect: 
m A ids = id if mode r ^ rec then 

if mode r = accept A id r = id then 
mode r := rcvd 
buf r := buf r ~ m 
lastr := id 
else if lastr j^ id then 

nack-buf r := nack-buf r ~ id 
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ack(b) 

Precondition: 

mode s = idle A buf s = e A 

current-ack s = b 
Effect: 

none 



receive jmsg (m) 
Precondition: 

mode r = rcvd A buf r /eA 
head(buf r ) = m 
Effect: 

buf r := tail(buf r ) 
if buf r = e then 
mode r : = ack 



receive _pkt rs (ack, id, b) 
Effect: 

if mode s ^ rec then 

if mode s = send A id s = id then 
mode s : = idle 
current-ack s '■= b 
jd s : = nil 
id s := nil 
current-msg s := nil 
if b = true then 

done-buf s := done-buf s ~ id 



send _pkt sr (done, id) 
Precondition: 

mode s ^ rec A done-buf s /e A 

head(done-buf s ) = id 
Effect: 

done-buf s := tail (done-buf s ) 



send_pkt TS (ack, id, true) 
Precondition: 

mode r = ack A last r = id 
Effect: 
none 

send_pkt TS (ack, id, false) 
Precondition: 

mode r ^ rec A nack-buf r /e A 

head(nack-buf r ) = id 
Effect: 

nack-buf r := tail(nack-buf r ) 

receive _pkt sr (done, id) 
Effect: " 

if (mode r = accept A id r = id) V 
(mode r = ack A last r = id) then 
mode r := idle 
jd r := nil 
id r '■= nil 
last r '■= nil 



crashs 
Effect: 

mode s := rec 



crashr 
Effect: 



mode r 



recovers 

Precondition: 

mode s = rec 
Effect: 

mode s := idle 

jrf s := nil 

ids := nil 

buf s := e 

current-msg s := nil 

current-acks '■= false 

done-buf s := e 

grow- jd-used s ( jds) 
Precondition: 

\JD \ (jd-used s U jds)\ = oo 
Effect: 

jd-used s := jd-used s U jds 



recover r 

Precondition: 
mode r = rec 

Effect: 

mode r := idle 
jd r := nil 
id r := nil 
lastr := nil 
bufr := e 
nack-buf r := e 



grow-issued r (ids) 
Precondition: 

\ID \ (issuedr U ids)\ = oo 
Effect: 

issuedr := issued r U ids 
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The following note about the receive_pkt sr (needid, jd) steps should be made: A Hi r is required 
to be input-enabled and therefore we do not specify preconditions for input actions. However, 
in the effect clause of receive_pkt sr (needid, jd) we must choose an id not in issued r . But this 
is only possible if issued r ^ ID. However, Invariant 9.11 Part 8.12 below states that this is 
indeed the case for all reachable states. However, since there exists (non-reachable) states with 
issued r = ID, An r is not input-enabled. This is not a problem in practice, but to make A Hi r 
input-enabled we interpret the definition of receive jpkt sr (needid, jd) such that an arbitrary id 
is chosen if issued r = ID. 

We first describe the normal mode of operation: the sender performs a choose_jd(jd) action 
(which corresponds to prepare of G) and moves to mode needid, where it repeatedly sends 
(needid, j<i) to the receiver. By channel liveness these packets will continue to get through. 
One of the major problems in the liveness proof below is to show that eventually the receiver 
will be in idle mode. When this happens, the receiver accepts (needid, jd), associates a new 
identifier id with jd, and moves to accept mode, where it repeatedly issues (accept, jd, id) 
packets. Again by channel liveness, such a packet gets through and since jd is equal to the 
current jd (kept in jd s ) of the sender, the sender accepts this packet. The value jd is no longer 
needed, but id is used for the actual communication. 

On receipt of (accept, jd, id) the sender moves to mode send. Note how the accept packets 
work as acknowledgements for the needid packets. In send mode the sender repeatedly sends 
the current packet (send, m, id). When one gets through, it is accepted since the id in the packet 
corresponds to the current id (kept in id r ) of the receiver. The message m is placed in buf r 
and the identifier id for which the receiver shall eventually issue positive acknowledgements is 
remembered in the last r variable. (Note the difference between id r and last r : id r remembers 
the identifier that the receiver will accept, whereas last r remembers the identifier for which the 
receiver must issue positive acknowledgements. Due to this difference the identifiers are kept in 
separate variables.) Now, eventually m is delivered to the user and the receiver moves to ack 
mode. Note how the send packets work as acknowledgements for the accept packets. 

In ack mode the receiver repeatedly sends positive acknowledgements in (ack, id, true) pack- 
ets. When one gets through, the sender leaves send mode and issues a positive acknowledgement 
ack(b) to the user at the sender side. 

The receiver has no knowledge of whether an (ack, id, true) packet has gotten through yet 
or not, so it continues to issue the packets. Somehow the receiver must be informed that the 
sender has received the acknowledgement. The done packets are used for this purpose. It 
would not work if the sender entered a mode where it repeatedly issued done packets because 
then the receiver would have to acknowledge the receipt of a done packet, and so on. Instead, 
every time the sender receives (ack, id, true) it adds id to done-buf s , and this leads to one 
send _pkt sr (done, id) being issued. There is no guarantee that the packet is not lost, but if it 
is, the sender will eventually receive another (ack, id, true) packet, which gives rise to another 
send _pkt sr (done, id) step. This cannot go on forever because of channel liveness, so eventually 
the receiver will receive (done, id) and since id is equal to last r , the receiver leaves ack mode 
and moves to idle mode, where it is allowed to forget everything about jd r , id r , and last r . 

The above discussion has concentrated on normal mode of operation, where the sender and 
receiver are synchronized. However, because both the sender and the receiver have modes where 
they repeatedly send certain packets and await acknowledgements, they would be very vulnerable 
to crashes of the other node if we did not have some means of informing the node about crashes. 
The "bad" modes are accept for the receiver and send for the sender. 
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First consider a situation where the receiver is in accept mode but where the sender due to 
crashes is not in the expected needid mode with jd s = jd r . The sender could be in idle mode 
or even in needid mode with a new jd identifier such that jd s ^ jd r . Now, every time the sender 
receives a bad accept packet, it places the associated identifier id in done-buf s which leads to a 
send _pkt sr (done, id) step, which may or may not succeed in putting the packet into the channel. 
If it succeeds, the packet will eventually be received and the receiver will be dislodged (cf. the 
definition of the receive_pkt sr (done,id) steps of the receiver). If it does not succeed, the sender 
will eventually receive another accept packet, which gives rise to another send_pkt sr (done, id) 
step. This cannot go on forever because of channel liveness, so eventually the receiver will 
receive (done, id). Thus, the done packets are used to inform the receiver to leave a bad accept 
mode in the same way done packets were used during normal mode of operation to inform the 
receiver that the sender has received the positive acknowledgement. An additional problem 
arises because the receiver immediately could receive an old needid packet and thus reenter a 
bad accept mode. However, there can only be finitely many such old needid packets in the 
channel, so this cannot go on forever. Below we shall see how this is proved formally. 

Another "bad" situation occurs when the sender is in send mode but where the receiver 
due to crashes is not in the expected accept mode with id r = id s . The receiver could be in 
idle mode or it could have received an old needid packet and thus be in accept mode with 
id r ^ id s . Now, every time the receiver receives a (send, m, id) packet it will, since id ^ id r , 
add id to nack-buf r , which leads to send_pkt rs (&c'k, id, false). This continues, as for the done 
packets above, until (ack, id, false) is receiver by the sender and at that point the sender resets 
to idle mode. 

The actions grow-jd-used s (jds) and grow-issued r (ids) allow identifiers to be added to the sets of 
used identifiers of the sender and receiver, respectively, as long as there are still "enough" (i.e., 
infinitely many) unused identifiers left. These actions are not required for the correctness of H 
but allow a final implementation on a physical machine to throw away some identifiers. This is 
typically required by algorithms for generating unused identifiers. 

It may seem strange that the sender and receiver need to engage in the initial needid/accept 
handshake. Why don't they just agree on using, say, the natural numbers in increasing order 
as identifiers? Then the receiver will only accept a message if the associated identifier is greater 
than the identifier of the last message accepted. The answer is that H is designed so that the 
receiver can use the same set of identifiers for several senders. Thus, as defined, the sender does 
not have to remember (in stable storage!) the last identifier used by each individual sender. We 
do not in this report show how the receiver should work for several senders. 

The discussion above has partly been based on liveness assumptions on the sender and receiver. 
We now consider how to specify this liveness formally. 

9.2.4 Liveness 
Sender 

We define the following two sets of the locally-controlled actions of the sender: 



Ch iS i = {ack (true), ack( false), recover J\ U 

{send _pkt sr (needid, jd) \ jd £ JD} U 
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{send _pkt sr (send, m, id) \ m £ Msg A id £ ID} 
C'n tS 2 = {send_pkt sr (done, id) \ id £ ID} 

The liveness formula Q H)S that induces the liveness condition £ H ,s for A HiS is now defined as 

Qh, s = WF(C HtSl ) A WF(C HtS2 ) 

Note, that the reason we need weak fairness to Ch )S 2 separately is that sending of done packets 
can occur at any time. Then, if we only had weak fairness to Ch )S i U Ch iS 2 5 there would be no 
requirement to issue done packets if the sender is in send mode and keeps sending send packets. 
This would not lead to correct operation of H. 

Thus, H s can intuitively be seen as consisting of two parallel processes: one dealing with 
the actions in Ch )S i and one dealing with issuing done packets. Since the liveness requirements 
are weak fairness, the liveness of H s can be implemented on a physical machine by a scheduler 
giving fair turns to the two parallel processes. 

By Lemma 4.7, Q H)S is an environment-free liveness formula for A HiS . Thus, H s is a live I/O 
automaton. Furthermore, by Lemma 4.8, Q H)S is stuttering-insensitive. 

Receiver 

We define the following two sets of locally-controlled actions of the receiver: 

Ch^i = {recover,.} U 

{receive _msg(m) \ m £ Msg} U 

{send _pkt rs (accept, jd , id) \ jd £ .ID A id £ ID} U 

{ send _pkt rs (&c'k, id, true) \ id £ ID} 
C'n tr 2 = {send _pkt sr (&c'k, id, false) \ id £ ID} 

The liveness formula that induces the liveness condition for the receiver of H can now be ex- 
pressed as 

Q H , r = WF(C H>rl ) A WF(C H>r2 ) 

The reason why we need weak fairness to two sets of actions is similar to the reason given above 
for the sender. 

By Lemma 4.7, Q H ,r is an environment-free liveness formula for An r . Thus, H r is a live I/O 
automaton. Furthermore, by Lemma 4.8, Q H ,r is stuttering-insensitive. 

9.3 The Specification of H 

As depicted in Figure 9.1, H consists of the sender and receiver processes and the two channels. 
So, first define H" = (A^,i^) to be the following live I/O automaton. 

H = H s ||H r ||Ch sr ||Ch rs 

Since Qu tS , Qn,n Qch,sn an( i Qch, rs are ah stuttering-insensitive, Proposition 4.4 implies that 
Lft is induced by 

Qh = Qn,s A Qu r A Qch,sr A Qch, rs 
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By Definition 2.2 the channel actions send_pkt sr (. . .), receive _pkt sr (. . .), send_pkt rs (. . .), and 
receive _pkt rs (. . .) are all output actions of H". We need to hide these in order to get a live I/O 
automaton with the same external actions as S. 

However, recall from Lemma 5.10 that the existence of an index mapping between execu- 
tions at two levels of abstraction allows one to conclude certain properties of the (common) 
external actions of the executions. Thus, the more external actions of two levels, the stronger 
the correspondence between the executions. 

At the G level we defined G' to be the system where channel communication is external, i.e., 
G' was simply the parallel composition of the sender/receiver process and the channels — similar 
to H" above. Now, the actions send_pkt sr (m,id), receive_pkt sr (m,id), send_pkt rs (id,b), and 
receive_pkt rs (id,b) of G' correspond to the send_pkt sr (seiid,m,id), receive_pkt sr (seiid,m,id), 
send_pkt rs (&c'k,id,b), and receive_pkt rs (&c'k,id,b) actions at the H level. Thus, the channel 
actions at the H level which deal with needid, accept, and done packets do not correspond to 
any external actions of G'. Thus, we first hide these actions from H" to get H'. Let 

A' H = {send _pkt sr (needid, id) \ id £ ID} U 

{receive_pkt sr (needid, id) \ id £ ID} U 

{send _pkt rs (accept , jd , id) \ jd £ .ID A id £ ID} U 

{receive_pkt rs (&cceipt, jd , id) \ jd £ JD A id £ ID} U 

{send_pkt sr (done, id) \ id £ ID} U 

{receive_pkt sr (done, id) \ id £ ID} 

Then H' = (A' U ,L' U ) is defined as 

H' = H" \ A' n 
By Proposition 4.5, L' u is induced by Q H - 
Finally, to get the H protocol, we hide the remaining channel actions. Let 

An = {send _pkt sr (send, to, id) \ m £ Msg A id £ ID} U 

{receive_pkt sr (send, to, id) \ m £ Msg A id £ ID} U 
{send_pkt rs (ack, id,b) \ id £ ID A b £ Bool} U 
{receive_pkt rs (&c'k, id,b) \ id £ ID A b £ Bool} 

Thus, H = (An,Ln) is defined as 

H ^ H' \ A H 

Again, by Proposition 4.5, Ln is induced by Q H - 

Now, in the proof below we prove that H' correctly implements G' (or actually a slightly different 
version of G' in which the channel actions are renamed to completely match the (remaining) 
external channel actions of H'). Then the substitutivity results of Proposition 2.16 are used to 
infer that H correctly implements G. 

9.4 Correctness of H 

The correctness of H with respect to G is now considered. We first add history variables to H' 
to get H ft = {A^ , D\ ) as described in Section 5.1.5. Then we state some invariants of A^ and 
show the existence of a refinement mapping from A^ to A P G , where A P G is a slightly modified 
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version of A' G obtained by renaming some channel actions. This refinement mapping is then 
used to show that H ft correctly implements G pl , which, in turn, allows us to conclude that H 
correctly implements G. 

9.4.1 Adding History Variables to H' 

We add three history variables to H' and denote the resulting live I/O automaton by H ft = 



Variable 




Type 


Initially 


Description 


used s 


H 


ID* 


e 


A history variable giving the list of ids 
ever used by the sender (and thus ac- 
cepted in accept packets from the re- 
ceiver). Same as at the G level. 


seen r 


H 


V(JD x ID) 





A history variable consisting of all the 
(jd, id) pairs the receiver has ever seen. 


current-ok 


H 


Bool 


false 


A history variable describing the state 
of the current message. Same as at the 
G level. 


H = History 



By the results in Section 5.1.5, we are allowed to change the history variables anywhere in the 
effect clauses of the step rules defining the steps of A' u . The effect clauses of step rules of A' u 
are, in turn, defined by the corresponding effect clauses of the components of H' as described 
in Section 4.1.1.1. We show where the changes to the history variables should be placed in the 
effect clauses. We omit the assignments to the original variables (by writing . . . instead) but 
outline the if-then-else statements. 

choose_jd(jd) 
Precondition: 

(* Precondition from H s *) 

Effect: 

(* Effect clause from H s *) 

if mode r ^ rec then 
current-ok := true 

receive _pkt sr (needid, jd) 
Precondition: 

(* Precondition from Ch sr *) 

Effect: 

(* Effect clause from Ch sr *) 

(* Effect clause from H r *) 
if mode s = idle then 



seertr := seen r U {(jd r , id r )} 
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receive_pkt rs (accept, jd, id) 
Precondition: 

(* Precondition from Ch„ *) 

Effect: 

(* Effect clause from Ch„ *) 

(* Effect clause from H s *) 
if mode s ^ rec then 

if mode s = needid A jd s = jd then 

used s := used s ~ id 
else if id s j^ id then 



receive_pkt sr (send, m, id) 
Precondition: 

(* Precondition from Ch sr *) 

Effect: 

(* Effect clause from Ch sr *) 

(* Effect clause from H s *) 
if mode r ^ rec then 

if mode r = accept A id r = id then 

if id = id s then 
current- ok := false 
else if last r ^ id then 



crashs 
Effect: 

(* Effect clause from H s *) 

current-ok := false 



crash r 
Effect: 

(* Effect clause from H r *) 

current-ok := false 



From Lemma 5.16 we know that L^ is induced by Q H - 



9.4.2 Invariants 

To help us in the refinement mapping proof below, we state some invariants of A^ without proofs. 
The proofs could be performed similarly to the proofs of the A G invariants in Appendix C. 
The first invariant states properties of issued r . 

Invariant 9.1 

1. If id r ^ nil then id r £ issued r 

2. If last r ^ nil then last r £ issued r 

3. If (accept, jd, id) £ rs then id £ issued r 

4. used, C issued r 
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Define in any state of A^ jds(sr) to be the set of jd components of the packets in the sr channel. 
Formally, since only needid packets have jd components in the sr channel, we have 

jds(sr) = {jd | (needid, jd) £ sr} 
Similarly, 

jds(rs) = {jd | (accept, jd, id) £ rs} 
The following invariant then states that all jds in the system are used by the sender. 

Invariant 9.2 

1- jd s £ jd-used s if jd s ^ nil 

2. jds(sr) C jd-used s 

3. jd r £ jd-used s if jd r ^ nil 

4. jds(rs) C jd-used s 

■ 

The following invariants state simple properties. 

Invariant 9.3 

1. If mode r £ {idle, accept} then last r = nil 

■ 

Invariant 9.4 

1. If mode r = accept then id r ^ nil 

■ 

Invariant 9.5 

1. If mode s = rec V mode r = rec then current-ok = false 

■ 

Invariant 9.6 

1. If id s ^ nil then mode s £ {send, rec} 



The next invariant states the identifiers in the system are in most cases registered in the history 
variable used s . 

Invariant 9.7 

1. If id s ^ nil then id s £ used s 

2. If (send, to, id) £ sr then id £ used s 
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3. If mode r = rcvd then last r £ used s 

4. If mode r = ack then last r £ used s 

5. If (ack, id, b) £ rs then id £ used s 



The identifiers for which the sender will issue or has issued done packets can never be equal to 
the current identifier of the sender. 

Invariant 9.8 

1. If id £ done-buf s then id j^ id s 

2. If (done, id) £ sr then id ^ id s 



The history variable seen r records all the (jd, id) pairs the receiver has ever seen. Thus, when 
the receiver associates an identifier id to a received jd, the pair (jd, id) is added to seen r . Due 
to crashes the receiver might associate two different id identifiers to the same jd identifier. 
However, it can never happen that the receiver associates the same id to different jds. 

Invariant 9.9 

1. If id r ^ nil then (jd r , id r ) £ seen r 

2. If (jd, id) £ seen r A (jd' , id) £ seen r then jd = jd 1 

3. If (accept, jd, id) £ rs then (jd, id) £ seen r 



Invariant 9.10 

1. If mode s = needid A mode r = accept A jd s = jd r then 
(send, _, id r ) ^ sr A (done, id r ) ^ sr 



The final invariant corresponds to Invariant 8.12 at the G level. It states that there are always 
enough unused ids and jds left. 

Invariant 9.11 

1. \ID \ issued r \ = oo 

2. \JD \jd-used s \ = oo 



Below we refer to the conjunction of the invariants by i H ' 1 
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9.4.3 Safety 

The safe I/O automata A^ and A' G do not agree on their input and output actions. The 
difference is however very small: A^ adds packets to the channel in send_pkt sr (seiid,m,id) 
steps, whereas the corresponding steps in A' G are send_pkt sr (m, id). There is a similar difference 
with respect to send_pkt rs (ac'k, id,b) steps and the corresponding receive jpkt sr and receive jpkt rs 
steps. So, define the following action mapping: 

p = [send_pkt sr (m, id) i— ► send _pkt sr (send, m, id) \ m £ Msg A id £ ID] U 

[receive _pkt sr (m, id) i— ► receive _pkt sr (s end, m, id) \ m £ Msg A id £ ID] U 
[send_pkt rs (id,b) i— ► send_pkt rs (ac'k, id,b) \ id £ ID A b £ Bool] U 
[receive _pkt rs ( id ,6) i— ► receive_pkt rs (ac'k, id,b) \ id £ ID A b £ Bool] U 
[a h^ a | a £ acts(A' G ) \ Aq] 

where Aq is defined in Section 8.4 and contains all the actions which are not being renamed by 
p. Clearly p is applicable to G', so define G pl = (A G ,L G ) as follows. 

G"' = p(G') 

By Proposition 4.6, L G is induced by p(Qg)- 

We now define a function from states^A^ ) to states(A G ). Below, in Lemma 9.13, this function 
is proved to be a refinement mapping from A^ to A G with respect to i H '> an d I G . (Note, that 
the invariant I G of A G is also an invariant of A% .) 



Definition 9.12 (Refinement Mapping from A^ to A G ) 

If s £ statesiA 1 ^ ) then define Rn G (s) to be the state u £ states(A G ) such that 



1. u.mode s 
u.buf s 
u.used s 

u. cur rent- msg s 
u. current- ack s 
u.last r 
u.buf r 
u. issued r 
u.nack-buf r 
u. current- ok 

2. u.last. 



s.mode s 

s.buf s 

s.used s 

s. cur rent- msg s 

s. current- ack s 

s.last r 

s.buf r 

s. issued r 

s.nack-buf r 

s. current- ok 

s.id. 



3. u.good s 



4. 
5. 



u.mode r 
u.good r 



(if s.mode s = needid then 

{id | (accept, s.jd s , id) £ s.rs} U 

(if s.mode r = accept A s.jd r = s.jd s then {s.id r } else 0) 
else 0) 

(if s. mode r = accept then idle else s.mode r ) 

(if s. mode r = accept then {s.id r } else 0) 



6. The packets in each channel in u are exactly the send and ack packets in the same channel 
in s. 
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Lemma 9.13 

A h H ' < R A P G ' via R HG . 

Proof 

We prove that Rug is a refinement mapping from A^ to A G with respect to i H '» an d -^g- We 
check the two conditions (which we caii base case and inductive case, respectiveiy) of Defini- 
tion 5.2. 

Base Case 

It is easy to see that for the start state s of A^ , i? GD (s) is a start state of A G . 

Inductive Case 

Assume (s,a,s r ) G steps^A^ ) such that s and s' satisfy i H '> an d Rn G (s) satisfies I G . Below 
we consider cases based on a (and sometimes subcases of each case) and for each (sub)case we 
define a finite execution fragment a of A G of the form (Rn G (s), a', u" , a", u'", . . . , Rhg(s')) with 
trace(a) = trace(a). For brevity we let u denote Rn G (s) and u' denote Rn G (s'). 

Unless otherwise stated we let Part 1-6 refer to the three parts of Definition 9.12. 

a G {send_msg(m), receive _msg(m), ack(b), recover s } 
Then it is easy to see that (u,a,u') G steps(A G ). 

a = crash s 

We show that (u, crash s ,u",shrink_good s (I),u r ), where u" and / are defined below, is a finite 
execution fragment of A G by showing that (u, crash s , u") and (u", shrink _good s (I), u') are steps 
of A G . Clearly the execution fragment has the right trace. 

Define u" to be the same as u' except that u".good s = u.good s . Then it is easy to see that 
(u, crash s , u") G steps(A G ). 

Now, if s.modes = needid then u".good s might be nonempty whereas u'.good s = according 
to i?HG- So, define / = u" .good s . (Note, / = if s.mode s j^ needid.) Then, obviously, 
(u" , shrink_good s (T),u') G steps(A G ). 

a = crashr 



We show that (u,crash r ,u" ,shrink_good r (T),u'), where / = u.good r and u" is defined below, is 
a finite execution fragment of A G by showing that (u,crash r ,u") and (u" , shrink_good r (T),u r ) 
are steps of A G . Clearly the execution fragment has the right trace. 

Define u" to be the same as u' , except that u".good r = u.good r . 

It is easy to see that (u, crash r ,u") G steps(A G ). The only interesting case is to show that 
good r is handled correctly but from the definition of u" we have u" .good r = u.good r , which is as 
required. 
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Since vl .mode r = rec, we get from Invariant 9.5 that u' .current- ok and then also v" .current- ok 
are false, so shrink -good r (I) is enabled in vl' . The only difference between v" and vl is the value 
of good r . We have v" .good, = I and u'.good r = since s' .mode, = rec ^ accept. This change 
in good r is as required by the definition of shrink -good r (I) in A G . 

a = recover r 



We show that (v, recover ,,v') £ steps(A G ). This step (and finite execution fragment) clearly 
has the right trace. 

First note that recover,, is enabled in v. We then carry out a case-by-case check to see that all 
state variables change appropriately. The only interesting cases are good r and issued r . 

Both u.good r = and u'.good r = by the definition of Rug since mode r ^ accept in s and s' . 
Thus, the value of good r is unchanged as required by the definition of recover , in A G . 

From the definition of recover, in A u and Rug we have that v. issued, = u! ' .issued,. To show 
that it is allowed by recover, in A G to leave issued, unchanged, we must show that u.used s C 
u. issued, and u.good s C u. issued,. But both of these requirements follow directly from the 
definition of Rug an d Invariant 9.1. 

a = choose _jd(jd) 

We show that (v, prepare, v') £ steps(A G ). This step (and finite execution fragment) clearly 
has the right trace. 

Since choose_jd(jd) is enabled in s and u = i?Hc( s ) 5 it is immediate that prepare is enabled in u. 
A case analysis on the variables of A G shows that all are modified properly; the only interesting 
case is that of good s . There, the definition of prepare in A G requires that u'.good s = 0. We 
must show that that is the case: 

First, assume s.jd, = nil. By the definition of choose_jd(jd) in A u we have s'.jd s j^ nil, so 
since s'.jd, = s.jd,, we have s'.jd s ^ s'.jd,. 

Now assume s.jd, ^ nil. Then Invariant 9.2 gives us that s.jd, £ s.js-used s and since s'.jd r = 
s.jd, we have s'.jd, £ s.js-used s . By the definition of choose_jd(jd) in A u we have s'.jd s ^ 
s' .jd-used s , so also in this case we get s'.jd s ^ s'.jd,. 

From Invariant 9.2 we get jds(s.rs) C s. jd-used s . By the definition of choose_jd(jd) in A u we 
have s'.jds(s'.rs) = jds(s.rs) and s'.jd s ^ s.jd-used s , so we get s'.jd s ^ jds(s'.rs). 

Finally, since s'.jd s j^ s' .jd, and s'.jd s ^ jds(s'.rs), we get from the definition of Rug that 
u'.good s = as required. 

a = send _pkt sr (needid, jd) 



We show that vl = v. Then the execution fragment u of A G clearly has the right properties. 

The only difference between s and s' is that s contains an additional needid message in the 
sr channel. But this does not affect the values of any of the variables of A G according to the 
definition of i? H c- 

a = receive jpkt sr (needid, jd) 
We consider two cases. 
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1. s.mode r ^ idle. 

Then the only difference between s and s' is that the latter is missing one needid packet 
from the sr channel. But this does not affect the values of any variables of A G , so that 
u' = u. Then the execution fragment u of A G clearly has the right properties. 

2. s.mode r = idle. 
There are two subcases. 

(a) s.mode s ^ needid or jd ^ s.jd s . 

We show that (u,grow_good r ({id}),u r ) £ steps(A G ), where id is the identifier chosen 

in the step of A H , i.e., id = s'.id r . Clearly the step has the right trace (the empty 

trace). 

The definition of the step in A H implies that id ^ s. issued,.. From the definition of 

i?HG we have u. issued, = s. issued,, so that grow_good r ({id}) is enabled in u. 

We consider the state changes. From the definition of Rug we have u.good r = 

and u'.good r = {id}. This is the change to good r specified by the definition of 

grow_good r ({id}). Also, the step of A u explicitly adds id to issued,, which is as 

required by the definition of grow_good r ({id}) in A G . 

We claim that all variables of A G other than good r and issued, have the same values 

in u and v! . This is immediate for mode s , buf s , used s , current-msg s , current-ack s , 

buf r , last, nack-buf r , current-ok , and last s . For mode,, we have a change at the H 

level, from idle to accept. But both of these correspond to idle at the G level. 

We now show that u.good s = u'.good s . We make a case analysis based on the definition 

of this case. First assume s.mode s ^ needid. Then also s' .mode s ^ needid so from 

the definition of Rug we have u.good s = u'.good s = as needed. 

Now, assume s.mode s = needid and jd ^ s.jd s . Since s'.jd r = jd and s'.jd s = s.jd s 

we get s'.jd s j^ s'.jd r , so even though mode, changes to accept in A u , it is easy to 

see from the definition of Rug that u.good s = u'.good s . 

Finally, the only difference between the channels in s and s' is that the sr channel in 

s' is missing one needid packet. But then the values of the channels in u and u' are 

the same. 

(b) s.mode s = needid and jd = s.jd s . 

We show that (u, grow _good r ({id}),u", grow _good s ({id}),u'), where u" is defined be- 
low and id = s' .id,, is a finite execution fragment of A G . We do this by showing 
that (u, grow_good r ({id}),u") and (u", grow_good s ({id}),u') are steps of A G . The 
execution fragment clearly has the right trace. 

Define u" to be the same as u' , except that u" .good s = u'.good s \ {id}. 
The argument that (u,grow_good r ({id}),u") is a step of A G is the same as the argu- 
ment for the previous case, except for the part about good s . Here, u.good s = u".good s 
by explicit construction. 

To show that (u" ,grow_good s ({id}),u') is a step of A G , it suffices to note that id G 
u" .issued,, id £ u" .good,, and id ^ u" .used s . (This latter claim uses Invariant 9.1.) 

a = send _pkt rs (&cceipt , jd , id) 

We show that u' = u. Then the execution fragment u of A G clearly has the right properties. 

The only difference between s and s' is that s' contains an additional accept message in the sr 
channel. We claim that this does not affect the values of any of the A G variables. 
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The only interesting case to check is the value of good s . The only way the step can modify 
this variable according to Rug is to add an id to good s , by putting id r to good s , by putting 
an (accept, s'.jd s , id) message into the rs channel. By definition of the step in H, it must be 
that s'.jd s = s.jd r and id = s.id r . Since s.jd s = s'.jd s , it follows that s.jd s = s.jd r . But then 
id G u.good s . This contradicts the assumption that the step modified this variable. 

a = receive_pkt rs (&cceipt,jd, id) 
There are two cases. 

1. s.mode s = rec 

In this case the only difference between s' and s is that s has an extra (accept, id,jd) 
packet on rs, but from the definition of Rug we see that this does not affect any of the 
variables in A G since s.mode s ^ needid. Thus u' = u. The the execution fragment u of 
A G has the right properties. 

2. s.mode s ^ rec 
We consider cases 

(a) s.mode s ^ needid or jd ^ s.jd s . 

We show that u' = u. The the execution fragment u of A G has the right properties. 
The only difference between s and s' is that s' removes a single accept message in 
the sr channel and that done-buf s might be updated. We claim that this does not 
affect the values of any of the A G variables; the only interesting case to check is that 
of good s , and there, the fact that s.mode s ^ needid or jd ^ s.jd s implies that good s 
has the same value in u and u' . 

(b) s.mode s = needid and jd = s.jd s . 

We show that (u, choose Jd(id),u" , shrink _good s ( I), u r ), where / = u.good s and u" is 

defined below, is an execution fragment of A G by showing that (u, choose Jd(id) , u") 

and (u" , shrink _good s (I),u') are steps of A G . Clearly the execution fragment has the 

right trace. 

Define u" to be the same as u' except that u" .good s = I. 

First consider (u, choose Jd(id),u"). Since s.mode s = needid, we have u.mode s = 

needid. Then, to prove that chooseJd(id) is enabled in u, we need to show that 

id G u.good s . In s, we have (accept, id,jd) in the rs channel, and moreover jd = s.jd s . 

Thus, from the definition of Rug we have id G u.good s as needed. 

Now we consider the effects on the variables in A G . A case analysis shows that the 

changes reflected in u" are as specified by the step of A G . The only interesting case is 

that of good s , where the definition of u" .good s = I = u.good s ensures that the value is 

unchanged, as required by the definition of choose Jd(id) in A G . 

To see that (u", shrink -good S (I), u 1 ) is a step of A G , note that u' .good s = 0. Therefore, 

the changes are as required by the definition of shrink _good s (T) in A G . 

a = send _pkt sr (send, m, id) 

Then it is easy to see that (u,send_pkt sr (m,id),u r ) G steps(A G ). This step (and execution 
fragment) clearly has the right trace. 
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a = receive_pkt sr (send, m, id) 

We show that (u, receive _pkt sr (m, id),u') G steps(A G ). This step (and execution fragment) has 
the right trace. 

We consider four (exclusive and exhaustive) cases. 

1. s.mode r = rec. 

Then the only change from s to s' is the removal of the single message from the sr channel. 
Since also u.mode r = rec, this corresponds to the right change in A G . 

2. s.mode r = accept and id = s.id r . 

Then, from the definition of Rug we have that u.mode r = idle and id G u.good r , such that 

the required state change of the receiver variables of A G is described by the first alternative 

in the nested if-then-else construct in the step rule for receive _pkt sr {m, id). A case analysis 

shows that all variables of A G are handled correctly. The interesting cases are current-ok 

and good r . 

For current-ok, we consider two cases. 

First, if id = s.id s , then we have id = u.last s . Moreover, s.mode s G {send, rec} by 

Invariant 9.6. If s. mode s = rec then Invariant 9.5 implies that s. current-ok is already false, 

so setting it to false in A u is a no-op, as required by the step in A G . If s.mode s = send 

both algorithms set current-ok to false. 

On the other hand, if id j^ s'.id s , then also id j^ u.last s . Thus in this case neither level 

changes current-ok . 

For good r , note that u.good r = {s.id r } since s.mode r = accept and u'.good r = since 

s' .mode r ^ accept. Since id = s.id r , this change is as required by the definition of 

receive _pkt sr (m, id) of A G . 

3. s.mode r j^ rec and (s.mode r ^ accept or id ^ s.id r ) 

We show that the required state changes of the receiver variables of A G are not described by 
the first alternative inside the nested if-then-else construct. First, if s.mode r j^ accept then 
u.good r = which gives the result. Next, if s.mode r = accept we have u.good r = {s.id r }, 
but from the definition of this case we must have id j^ s.id r , so again the result follows. 
We now consider two cases 

(a) id ^ s.last r 

Then we have s' .nack-buf r = s.nack-buf r " id. Since id ^ u.last r , by the definition of 
-Rhg, we a l so have u! .nack-buf ' r = u. nack-buf r " id. It is now easy to see that all state 
variables of A G are handled correctly. 

(b) id = s.last r 

In this case, the A^ level makes no changes (that is, the only difference between s and 

s' is that the latter has the one message deleted from the sr channel). We must thus 

show that all variables but sr of A G have the same values in u and u' . 

First we note that the A G step does not choose the second alternative inside the 

nested if-then-else construct since the definition of this case and Rug gives us that 

id = u.last r . 

We must show that A G does not choose the third alternative. The only way A G can 

choose the third alternative is if u.mode r = idle. From the definition of Rug we see 

that this is the case if s.mode r G {idle, accept}. Now, Invariant 9.3 gives us that 
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s.last r = nil, but this contradicts the definition of this case (id = s.last r ), thus, we 
cannot have u.mode r = idle which again implies that A G does not choose the third 
alternative. 
That suffices. 

a = send_pkt sr (done, id) 

This step of A u changes done-buf s and may change the channel sr, but from the definition of 
i?HG we see that this does not change any of the variables in A P G , so we have u = u' . Thus, the 
finite execution fragment u clearly has the right properties. 

a G {send _pkt rs (ack, id, b), receive_pkt rs (&c'k, id, b)} 

Then it is easy to see that (u' ,send_pkt rs (id,b),u) and (u' ', receive _pkt rs (id,b),u) , respectively, 
are steps of A G . 

a = receive _pkt sr (done, id) 

We consider cases. 

1. s.mode r = accept and id = s.id r . 
There are two subcases. 

(a) s.mode s ^ needid or 

(s.mode s = needid and s.jd r j^ s.jd s ) or 

(s.mode s = needid and s.jd r = s.jd s and (accept, s.jd s , s.id r ) G s.rs) 
We show that (u, shrink _good r ( {id}), u') G steps(A G ). This step (and execution frag- 
ment) clearly has the right trace. 

First, we show that shrink _good r ({id}) is enabled in u. 
i. s.mode s ^ needid 

Then the precondition of shrink _good r ({id}) is satisfied by u. The only interesting 
case is if s.mode s = send. In this case we must show that u.last s ^ id, i.e., that 
s.id s 7^ id. Since (done, id) G s.sr, Invariant 9.8 gives the result, 
ii. s.mode s = needid and s.jd r j^ s.jd s 

Here, it suffices to show that id ^ u.good s . From Rug we get that u.good s = {id 1 \ 
(accept, s.jd s , id')}. From Invariant 9.9 Part 3 we get that u.good s is a subset of 
the set S defined as S = {id 1 \ (s.jd s ,id') G s.seen r }, so it suffices to show that 
id £ S . Since s.id r = id ^ nil, we get from Invariant 9.9 Part 1 that (s.jd r , id) G 
s.seen r and Part 2 of the same invariant then implies that (s.jd s ,id) ^ s.seen r 
since s.jd s j^ s.jd r in the case we consider here. Thus, the result follows, 
iii. s.mode s = needid and s.jd r = s.jd s and (accept, s.jd s , s.id r ) G s.rs 

Invariant 9.10 implies that this situation cannot occur. 
We now show that the variable changes are allowed by the step of A G . 
First, we show that good r is handled correctly. By definition of this case and Rug, we 
get that u.good r = {id} and u' .good r = 0. Thus, good r changes in a way allowed by 
shrink _good r ({id}) in A G . 

We must show that no other variables have different values in u' and u. The interesting 
cases are mode r , last r , and good s . 
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For mode r we have s.mode r = accept and s' .mode r = idle, but then Rug gives us 

u' .mode r = u.mode r = idle, as needed. 

For last r we have u.last r = nil from Invariant 9.3 since s.mode r = accept, and 

u' .last r = nil from the definition of the A u step. Thus, last r is unchanged as needed. 

Finally, we consider good s 
i. s.mode s ^ needid 

Then, since also s'.mode s ^ needid, Rug gives us u'.good s = v.good s (= 0) as 
needed, 
ii. s.mode s = needid and s.jd r j^ s.jd s 

Since s' .mode s = needid, we have s'.jd s j^ nil (easy invariant), so since s'.jd r = 
nil we have s'.jd r j^ s'.jd s . Now, since jd s and rs are unchanged in the A u step, 
we clearly get from Rug that u'.good s = v. good s as needed. 

iii. s.mode s = needid and s.jd r = s.jd s and (accept, s.jd s , s.id r ) £ s.rs 
Again, Invariant 9.10 implies that this situation cannot occur. 
(b) s.mode s = needid, s.jd r = s.jd s , and (accept, s.jd s , s.id r ) ^ s.rs 

We show that (v, shrink _good s ( {id}), v" , shrink _good r ( {id}), v'), where v" is defined 

below, is an execution fragment of A G by showing that (v,shrink_good s ({id}),v") 

and (v" , shrink _good r ( {id}), v') are steps of A G . The execution fragment clearly has 

the right trace. 

Define v" to be the same as u except that u" .good s = u.good s \ {id}. 

Then obviously (v, shrink _good s ( {id}), v") £ steps(A G ). 

We show that also (u" ', shrink _good r ( {id}), u') £ steps(A G ). 

Since u".mode s = u.mode s = needid and id ^ u".good s , shrink _good r ({id}) is enabled 

in vl' . 

We show that all variables are handled correctly. 

For all other variables than good s the arguments are as in the case above. 

We show that u".good s = u'.good s . We have s'.jd r = nil ^ s'.jd s (since s'.mode s = 

needid), so the definition of Rug an d u" gives us: 

u".good s = ({id' \ (accept, s.jd s , id') £ s.rs} U {id}) \ {id} and 

u'.good s = {id \ (accept, s'.jd s , id ) £ s'.rs}. 

Since jd s and rs are unchanged, it suffices to show id ^ {id' \ (accept, s.jd s , id')}, but 

since id = s.id r , this follows directly from the definition of this subcase. 

That suffices. 

2. s.mode r = ack and id = s.last r . 

We show that (u, cleanup r ,u') £ steps(A G ). This step (and execution fragment) clearly 

has the right trace. 

Since (done, id) £ s.sr we get from Invariant 9.8 that id j^ s.id s , so from the definition 

of Rug an d the hypothesis we get u.last s ^ u.last r . Also, since s.mode r = ack, we have 

u.mode r = ack. Thus, cleanup r is enabled in u. 

All variables are handled correctly. The changes to last r and mode r in A u clearly are as 

required by the definition of cleanup r in A G . Since mode r ^ accept we have u.good r = 

u! .good r (= 0) as needed. The only other interesting case is good s . But since mode r ^ 

accept and jd s and rs are unchanged by the step in A u , we get from Rug that u'.good s = 

u.good s as needed. 

3. Otherwise 

Then we claim that vl = v. 
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The only difference between s and s' is the removal of the done packet from the sr channel. 
This does not affect any of the A G variables. 

a = grow-jd-used s (jds) 

This step adds some elements to jd-used s , but since jd-used s is not used in the mapping Rug, 
we have u = u' . Thus, the execution fragment u has the right properties. 

a = grow-issued r (ids) 

This transition adds elements to issued r in A u . 

We show that (u, grow _good r (I),u", shrink _good r (I),u'), where u" is defined below and / = 

s'.issued r \ s. issued,, is an execution fragment of A G by showing that (u,grow_good r (T),u") 

and (u", shrink _good r (I),u') are steps of A G . The execution fragment clearly has the right 

trace. 

Define u" to be the same as u' except that u".good r = u.good r U /. 

From the definition of Rug we get that / = u! .issued,\u. issued, which implies that lP\u.issued r = 

0. Thus, grow -good r (I) is enabled in u. Now, the only difference between u and u" is that 
u" .good r = u.good r Ul (by explicit construction) and u" .issued, = u. issued, nl (by the definition 
of grow-issued r , Rug an d u"), but this is as required by grow_good r (T) in A G . 

We now consider (u" , shrink_good r (I),u'). To show that shrink _good r ( I) is enabled in u", we 
show that ID u".good s = and that u".last s ^ /. 

First, consider the claim that / n u".good s = 0. Since u" .good s = u.good s we must show that 
/ fl u.good s = 0. From Invariant 9.1 and Rug we get that u.good s C s.issued r , but since 
ID s. issued r = (by the definition of I) the result follows directly. 

Then, consider the claim that u".last s (£ I. Since u".last s = u.last s = s.id s , we must show that 
s.id s £ I. If s.id s = nil this is obvious, so assume s.id s ^ nil. Then Invariant 9.7 gives us that 
s.id s G s.used s , and Invariant 9.1 implies that s.id s £ s. issued,.. Again, since In s. issued, = 0, 
we get the result. 

Thus, shrink _good r (T) is enabled in u" . 

The only difference between u" and u! is by the definition of u" that u" .good r = u.good r U / = 
u'.good r U /. (The latter equality uses the definitions of grow-issued r and Rug to see that 
u! .good, = u.good,). To satisfy the requirements in A G we must show that u! .good, = u" .good,\ 

1. This is only the case if u! .good r \I = u'.good r , i.e., \iu' .good r nI = 0. Now, either u'.good r = 
in which case this result follows directly or u'.good r = {s'.id,} (with s' .id, ^ nil). In the latter 
case we observe that s 1 .id, = s.id r , so Invariant 9.1 implies that u'.good r C s. issued,, and since 
/ fl s. issued, = 0, we get that u'.good r n I = 0, as needed. 

This concludes the simulation proof. 



With this simulation result we can prove that Au safely implements A G . 

Theorem 9.14 (Au safely implements A G ) 

A H Es A G 
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Proof 

By Lemma 9.13 and the soundness of refinement mappings (Lemma 5.8) we get A u C s A G , 
and from Lemma 5.14 we get A' n C s A H . Thus, 

A'n Es A G ' ^ 
which by substitutivity (Lemma 2.16) implies 

A' H \ An Q s A G ' \ An 
Then, by the definition of p, An, and A G we get 

A' H \AnQsA G '\p(A G ) 
Now, since p only renames actions which are subsequently hidden, this implies 

A' H \ An Q s A' G \ A G 
which finally, by definition, yields the result 

An Es A G 



9.4.4 Correctness 

We can now turn attention to formally proving that H ft correctly implements G pl , which, in 
turn, then allows us to prove that H correctly implements G. 

We start out by giving some basic results about A H . The first results (Lemma 9.15 and 
Lemma 9.16) describe certain possible steps of A u in the absence of crashes. The lemmas 
have one part for each mode in the system and each part is furthermore divided into two sub- 
parts. The first subpart states that if the system reaches a certain state, then it will stay in 
that state at least until a certain action (or certain actions) occur(s). The second subpart then 
states the resulting state if such an action indeed occurs. 

In the remainder of this section we use notation like sencLpH rs (accept,_, _) to denote the 
action function {send_pkt(acceipt,jd,id) \ jd £ JD A id £ ID}. Similarly, the expression, e.g., 
send _pkt rs (accept, _, id s ) denotes the action function {send_pkt(acceipt,jd, id s ) \ jd £ JD}. 

Lemma 9.15 

A u satisfies each of the following formulas 

1. (a) U(U(mode s ^ rec) A mode s = idle ==?■ (mode s = idle Wi (choose _jd(A))) 
(b) 0(mode s = idle A (choose_jd(A) ==?■ mode° s = needid) 

2. (a) \/jd : U(U(mode s ^ rec) A mode s = needid A jd s = jd ==?■ 

(mode s = needid A jd s = jd Wi (receive_pkt rs (&cceipt,jd,_)))) 

(b) 0(mode s = needid A (receive_pkt rs (&cceipt,jd s ,_)) ==?■ mode° s = send) 

3. (a) \/jd : Mid : U(U(mode s ^ rec) A mode s = send A jd s = jd A id s = id =^ 

(mode s = send A jd s = jd A id s = id Wi (receive_pkt rs (&c'k, id,-)))) 

(b) 0(mode s = send A (receive_pkt rs (&c'k,id s ,_)) ==?■ mode° s = idle) 

Proof 

Easy by careful inspection of the steps of A u . 
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Lemma 9.16 

A^ satisfies each of the following formulas 

1. (a) n(n(mode r ^ rec) A mode r = idle ==?■ 

(mode r = idle Wi (receive_pkt sr (needid, _)))) 

(b) \/jd : 0(mode r = idle A (receive_pkt sr (needid, jd)) =>■ 
mode° r = accept A jd° r = jd) 

2. (a) \/jd : \/id : U(U(mode r ^ rec) A mode r = accept A jd r = jd A id r = id =>■ 

(mode r = accept A jd r = jd A id r = id Wi 
(receive_pkt sr (seiid,_,id)) V (receive_pkt sr (doiie,id)))) 

(b) 0(mode r = accept A (receive_pkt sr (seiid,_,id r )) ==?■ mode° r = rcvd) 
0((mode r = accept A (receive_pkt sr (doiie,id r ))) ==?■ mode° r = idle) 

3. (a) Mid : U(U(mode r ^ rec) A mode r = rcvd A last r = id =^ 

(mode r = rcvd A last r = id Wi (receive _msg(_)) A buf° r = e)) 

(b) 0(mode r = rcvd A (receive _msg(_)) A buf° r = e =/- mode° r = ack) 

4- (a) Mid : U(U(mode r ^ rec) A mode r = ack A last r = id =^ 

(mode r = ack A last r = id Wi (receive_pkt sr (done, id)))) 

(b) 0(mode r = ack A (receive _p>kt sr (done, last r )) =^ mode° r = idle) 

Proof 

Easy by careful inspection of the steps of A^ . 



In the proofs below we furthermore need the following simple lemma. 

Lemma 9.17 

A^ \= 0(mode s = needid A mode r = accept A jd s = jd r =^ 

^(receive_pkt sr (seiid,_,id r )) A ^(receive_pkt sr (doiie,id r ))) 

Proof 

Directly by Invariant 9.10. 



We now turn attention to more interesting results about the live executions of H ft . The first 
lemma states that if the sender stays in needid mode, then it will issue infinitely many needid 
packets. This result is actually a simple consequence of weak fairness to the set Ch iS i- We give 
the proof in ah formal detail. 

Lemma 9.18 (needid liveness) 

L u \= \/jd : n(n(mode s = needid A jd s = jd) =^ DO (send _pkt sr (needid, jd))) 

Proof 

Assume: a e L^' 
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Prove: a \= Mjd : n(0(mode s = needid A jd s = jd) =>• n<>(send_pkt sr (needid, jd)}) 

(1)1. Assume: jd is arbitrary 

Prove: a \= n(n(mode s = needid A jd s = jd) =>• nO(send-pkt sr (needid, jd)}) 

(2)1. Assume: a x is an arbitrary suffix of a 

Prove: a 1 \= n(mode s = needid A jd s = jd) =>- DO (send _pkt sr (needid, jd)) 

(3)1. Assume: a x |= n(mode s = needid A jd s = jd) 
Prove: a x |= U<y (send _pkt sr (needid, jd)} 

(4)1. a x |= WF(C HtSl ) 

Proof: By the assumption a £ L^ we have a \= WF(Cn tS i). Then 
Assumption (2) and Lemma 3.5 Part 1 give the result. 

(4)2. o?! |= On(mo<ie s £ {rec, needid, send} V 
(mode s = idle A buf s = e)) ==?■ 
□0(C H , s i) 

Proof: From (4)1 by expanding WF and noting that enabled(Cn tS i) = 
(mode s £ {rec, needid, send} V (mode s = idle A buf s = e)). 

(4)3. cii |= 0(mode s £ {rec, needid, send} V 
(mode s = idle A buf s = e)) ==?■ 
□0(C H , s i) 
Proof: Directiy from (4)2. 
(4)4. a x |= DO(Ch>i> 

Proof: By Assumption (3), (4)3, and Ruie MP. 
(4)5. Q.E.D. 

Proof: By (4)4 since Assumption (3) yieids that send _pkt sr (needid, jd) 
is the oniy action in Ch )S i which is enabied anywhere in o^. 

(3)2. Q.E.D. 

Proof: By (3)1 and the definition of impiication. 

(2)2. Q.E.D. 

Proof: By (2)1 and Lemma 3.5 Part 2. 

(1)2. Q.E.D. 

Proof: By (1)1 and Lemma 3.5 Part 5. 

■ 

The fohowing iemmas (Lemmas 9.19-9.23) state simiiar basic resuits about the five executions 
of H ft '. 

Lemma 9.19 (done liveness) 

1. L^ \= Mid : (0(mode s ^ rec) A id £ done-buf s ) ~~» (send _pkt sr (done, id)) 

2. L\ |= Mid : 0(0(mode s ^ rec) A □0(receiue_pH rs (ack, id, true)} =^ 

0<}(send_pkt sr (done, id)) 
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3. L^ \= Mjd : Mid : □(□(mode, = needid A jd s ^ jd) A 

□ 0(rece«'ue_pH rs (accept,j<i, id)) =>■ 

□ O (send _pkt sr (done, id))) 

Proof 

We sketch the proof. 

1. Consider an arbitrary suffix of a live execution of H ft and assume that the sender is never 
crashed in this suffix. In the first state of the suffix, let id be an arbitrary element of 
done-buf s and id' the first element of done-buf s . Then send _pkt sr (done, id') is enabled 
(since 0(mode s ^ rec)) and by fairness eventually send _pkt sr (done, id') occurs and id' is 
removed from done-buf s . By repeating this argument, we get that eventually id is first on 
done-buf s and then eventually send _pkt sr (done, id) occurs. 

2. Here id will infinitely often be put into done-buf s by the receive jpkt rs (ack, id, true) events 
since 0(mode s ^ rec). Then Part I of this lemma implies the result. 

3. Similar to Part 2. When mode s = needid, Invariant 9.6 implies id s = nil. Then, 
since jd s ^ jd, the each receive _p>kt rs (accept, jd, id) step leads to id being inserted into 
done-buf s . Part 1 of this lemma then implies the result. 



Lemma 9.20 (accept liveness) 

1. £*' |= Mjd : Mid : 

n(n(mode r = accept A jd r = jd A id r = id) =^ DO (send _pkt rs (accept, jd , id))) 

2. L\ |= Mjd : Mid : 0(0(mode r ^ rec) A mode r = accept A jd r = jd A id r = id =^ 

C> (receive _pkt sr (send, _, id)) V 
O (receive_pkt sr (done, id)) V 
□ 0(sencLpH rs (accept,j<i, id))) 

Proof 

1. Similar to the proof of Lemma 9.18. 

2. Assume: 1. a e L^' 

2. jd and id are arbitrary 

3. cii is an arbitrary suffix of a 

Prove: a x |= 0(mode r ^ rec) A mode r = accept A jd r = jd A id r = id =^ 
C> (receive _pkt sr (send, _, id)) V 
O (receive_pkt sr (done, id)) V 
□ 0(sencLpH rs (accept,j<i, «'<i)) 

(1)1. o?! |= 0(mode r = accept A jd r = jd A id r = id) =^ O (send _pkt rs (accept, jd , «'<i)) 

Proof: From Part 1 of this lemma, the Assumptions, and Lemma 3.5. 

(1)2. o?! |= n(n(mode r ^ rec) A mode r = accept A jd r = jd A id r = id =^ 
((mode r = accept A jd r = jd A id r = id) Wi 
((receive_pkt sr (seiid,_,id)) V (receive -pkt sr (done, id))))) 
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Proof: By Lemma 9.16 Part 2(a), The Assumptions, and Lemma 3.5. 
(1)3. Q.E.D. 

Proof: By (1)1, (1)2, and Rule Unll. 

By Lemma 3.5 the result follows. 

■ 

Lemma 9.21 (rcvd ~~» ack) 

L^ \= n(n(mode r ^ rec) =>■ (mode r = rcvd^ mode r = ack)) 

Proof 

We only sketch this proof. During any live execution of H ft , if the receiver is in rcvd mode 
and never crashes, then, by the definition of steps^A^ ), the only mode change of the receiver 
is a mode change to ack in a receive _msg(m) step that empties buf r . Furthermore, when 
mode r = rcvd no messages can be put into buf r (which actually implies that buf r will always 
contain zero or one element). Then, by fairness to receive _msg(m) steps, buf r will eventually 
be emptied and hence the result follows. 



Lemma 9.22 (ack liveness) 

1. Lft \= Mid : 0(0(mode r = ack A last r = id) =>■ DO(sencLpA;£ rs (ack, id, true)}) 

2. Lft \= Mid : 0(0(mode r ^ rec) A mode r = ack A last r = id =>■ 

C' (receive_pkt sr (done, id)) V □0(sen<i_pA;^ rs (ack, id, true))) 

Proof 

Similar to the proof of Lemma 9.20. 



Lemma 9.23 (ack ~~» idle) 

ijj |= n(n(mode s j^ rec A mode r ^ rec) =>■ (mode r = ack ^ mode r = idle)) 

Proof 

By Lemma 3.5 the following proof suffices. 

Assume: 1. a e L^ 

2. o?! is an arbitrary suffix of a 

3. id is arbitrary 

4. o?! |= 0(mode s ^ rec A mode r ^ rec) 
Prove: o^ |= mode r = ack^ mode r = idle 

(1)1. oti \= n(n(mode r ^ rec) A mode r = ack A last r = id =>■ 

C' (receive_pkt sr (done, id)) V □0(sen<i_pA;^ rs (ack, id, true))) 

PROOF:By Lemma 9.22 Part 2, the Assumptions, and Lemma 3.5. 
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(1)2. o?! |= n(n(mode r ^ rec) A mode r = ack A last r = id =>■ 

C' (receive_pkt sr (done, id)) V DO (receive _pkt rs (&c'k, id, true))) 

Proof: By (1)1 and Channel Liveness (Qch, rs )- 

(1)3. cii |= n(n(mode r ^ rec) A mode r = ack A last r = id =^ 

C' (receive _pkt sr (done, id)) V n<> (receive _pkt sr (done, «'<i))) 

PROOF:By (1)2, Lemma 9.19 Part 2, Rule MP, and Channel Liveness (Qch, sr )- 

(1)4. a?! |= D(n(mo(ie r ^ rec) A mode r = ack A last r = id =^ 
C' (receive _pkt sr (done, «'<i))) 

Proof: Directly from (1)3. 

(1)5. cii |= n(n(mode r ^ rec) A mode r = ack A /as£ r = id =^ 

((mode r = ack A /as£ r = «'<i) ZY, O (receive_pkt sr (done, id)))) 

Proof: By (1)4, Lemma 9.16 Part 4(a), and the definition of Id. 

(1)6. cii |= 0(mode r = ack A last r = id =^ 

0(mo<ie r = ack A last r = id A (receive_pkt sr (done, id)))) 

Proof: By (1)5, The Assumptions, Rule MP, and the definition oiUi. 

(1)7. cii |= mode r = ack A last r = id ~~» 

mode r = ack A /as^ r = «'<i A ( receive _pkt sr ( done, «'<i)) 

Proof: Directly from (1)6 and the definition of ~~». 

(1)8. cii |= (mode r = ack A /as£ r = «'<i) ^ mode r = idle 

Proof: By (1)7, the ~~» property imphed by Lemma 9.16 Part 4(b), and transitivity of 

^. 

(1)9. Q.E.D. 

Proof: Directly from (1)8. 



We are now ready to state and prove a very important result about the live executions of H ft . In 
Section 9.2.3 we provided some intuitive justification of the mode of operation of the H protocol. 
One bad situation that we touched upon was when the sender is in needid mode but the receiver 
is in some "bad" mode other than idle. We argued that eventually, due to done packets, the 
receiver would always be reset to idle but that it immediately could enter a bad accept mode 
again as a result of receiving an old needid packet (i.e., a needid packet (needid, jd) for which 
jd j^ jd s ) from the channel. However, since each channel step can only add a finite number of 
packets to a channel, at any point during execution there are only finitely many packets — and 
consequently only finitely many old needid packets — in the sr channel. Therefore, since the 
sender only adds new needid packets to sr, the receiver can only enter a bad accept state finitely 
many times. Thus, sooner or later either the receiver receives a new needid packet (even though 
there are still old ones in the channel) or all old needid packets have been received, in which 
case the receiver will eventually be reset to idle mode and thereafter receive a new needid 
packet. This is formalized in the following lemma. In the proof we use the induction rule Ind. 
First, we need the following definition: in any state where mode s = needid, define the num- 
ber of old needid packets, written ^ oM needid, to be the number of needid packets (including 
duplicates) in the sr channel with jd ^ jd s . 
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Lemma 9.24 

Lft \= Mjd : 0(0(mode s = needid A jd s = jd A mode r ^ rec) =>■ 
0(rao<ie r = accept A jd r = jd)) 

Proof 

Assume: a e L^' 

Prove: a \= \/jd : U(U(mode s = needid A jd s = jd A mode r ^ rec) =>- 
0(rao<ie r = accept A jd r = jd)) 

(1)1. Assume: 1. jd is arbitrary 

2. o?! is an arbitrary suffix of a 

3. cii |= 0(mode s = needid A jd s = jd A mode r ^ rec) 
Prove: a x |= 0(rao<ie r = accept A jd r = jd) 

(2)1. Case: a x |= mode r = accept A jd r = jd 

(3)1. Q.E.D. 

Proof: Case Assumption (2) implies the goal. 

(2)2. Case: a x |= ->(mode r = accept A jd r = jd) 

(3)1. cii |= 0(rao<ie r = idle) 

(4)1. Case: a x |= mode r = idle 

(5)1. Q.E.D. 

Proof: Assumption (4) implies the goal. 

(4)2. Case: a x |= mode r = ack 

(5)1. Q.E.D. 

Proof: By Assumptions (4) and (1).3, and Lemma 9.23. 

(4)3. Case: a x |= mode r = rcvd 

(5)1. Q.E.D. 

Proof: By Assumptions (4) and (1).3, and Lemmas 9.21 and 9.23. 

(4)4. Case: a x |= mode r = accept A jd r ^ jd 

(5)1. cii |= mode r = accept A jd r ^ jd A jd r = jd A id r = id 

Proof: From Assumption (4) by letting jd and id be the values 
of jd r and id r , respectively, in the first state of o^. 

(5)2. o?! |= ^(receive^pkt sr (send, _, id)) V ^(receive^pkt sr (done, id)) V 

□ O (send _pkt rs (accept, jd , id)) 

Proof: By Lemma 9.20 Part 2, Lemma 3.5, (5)1, Assumption 
(1).3, and Rule MP. 

(5)3. cii |= ^(receive^pkt sr (send, _, id)) V ^(receive^pkt sr (done, id)) V 

□ O (receive _p>kt sr (done, id)) 

Proof: By (5)2, Channel Liveness (Qch, sr an( i Qch, rs ). Lemma 
9.19 Part 3, the Assumptions, Lemma 3.5, and Rule 3.5. 
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(5)4. o?! |= C> (receive _pkt sr ( send, _, id)) V ^(receive^pkt sr (done, id)) 

Proof: Directly by (5)3. 

(5)5. cii |= mode r = accept A jd r = jd' A id r = id Ui 

(receive_pkt sr (seiid,_,id)) V (receive_pkt sr (done, id)) 

Proof: By (5)4, Lemma 9.16 Part 2(a), Lemma 3.5, the Assump- 
tions, and Rule MP. 

(5)6. cii |= 0(rao<ie r = accept A jd r = jd' A id r = id A 
(receive_pkt sr (send, _, id))) V 
0(rao<ie r = accept A jd r = jd A id r = id A 
(receive_pkt sr (done, id))) 

Proof: Implied by (5)5. 

(5)7. cii |= 0(rao<ie r = rcvd) V 0(rao<ie r = idle) 

Proof: By (5)6, Lemma 9.16 Part 2(b), the Assumptions, Lemma 
3.5, and Rule MP. 

(5)8. Q.E.D. 

Proof: By (5)7, Lemmas 9.21 and 9.23, and the Assumptions. 

(4)5. Q.E.D. 

Proof: By Assumption (2) and the exhaustive cases (4)l-(4)4. 

(3)2. ai |= D(# oH needid° < # oH needid) 

Proof: By Assumption (1).3, ^o^needid is defined in all states of a x and 
jd s does not change in o^. Then, since the only actions that can add needid 
packets to sr add packets with jd ^ jd s , the result follows. 

(3)3. Base Case 

cci |= (mode r = idle A ^ oM needid = 0) ~~» (mode r = accept A jd r = jd) 

(4)1. Assume: 1. a 2 is an arbitrary suffix of a x 

2. a 2 \= mode r = idle A ^ oM needid = 
Prove: a 2 \= 0(mo<ie r = accept A jd r = jd) 

(5)1. a 2 |= □(# oH needid = 0) 

Proof: By (3)2 and Assumption (4). 2. 

(5)2. a 2 \= n^({receive_pkt sr (needid,jd') \ jd' ^ jd}) 

Proof: By (5)1, Assumption (1).2, Lemma 3.5 Part 1, and the 
definition of the steps of A^ . 

(5)3. a 2 \= mode r = idle Wi (receive_pkt sr (needid, _)) 

Proof: From Lemma 3.5 Part 1, the fact that a 2 is a suffix of 
a (Assumptions (1).2 and (4).l), Lemma 9.16 Part 1(a), Assump- 
tions (1).3 and (4). 2, and Rule MP. 

(5)4. a 2 \= mode r = idle Wi (receive_pkt sr (needid, jd)) 

Proof: By (5)2 and (5)3. 

(5)5. a 2 \= O [receive _pkt sr (needid, jd)) 
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Proof: From Lemma 9.18, Channel Liveness Qch, sr , Assump- 
tion (1).3, and Rule MP. 

(5)6. a 2 \= mode r = idle ZYj- (receive_pkt sr (needid,jd)) 
Proof: By (5)4, (5)5, and the definition of ZY;. 

(5)7. a 2 \= 0(rao<ie r = idle A (receive_pkt sr (needid, jd))) 
Proof: By (5)6 and the definition of ZY*. 

(5)8. Q.E.D. 

Proof: By (5)7, Lemma 9.16 Part 1(b), and MP1 (and, as always, 
Lemma 3.5 Part 1 and the assumption that a 2 is a suffix of a). 

(4)2. Q.E.D. 

Proof: (3)3, the definition of implication, and Lemma 3.5 Part 2 gives 
a-y |= 0(mode r = idle A ^ oM needid = =>■ 0(rao<ie r = accept A 
jd r = jd)) which, by definition of ~~», immediately gives the result. 

(3)4. Inductive Case 

a x |= Vk : (k > =$► 

3/ : (/ < k A 

(mode r = idle A ^ oM needid = k ~~» 
(mode r = idle A ^ oM needid = /) V 
(mode r = accept A jd r = jd)))) 

(4)1. Assume: 1. k is an arbitrary positive number 

2. a 2 is an arbitrary suffix of a x 

3. a 2 \= mode r = idle A ^ oM needid = k 
Prove: a 2 \= 0((mode r = idle A # oM needid < k) V 

(mode r = idle A jd r = jd)) 

(5)1. a 2 \= mode r = idle Wi 

({receive _p>kt sr (needid, jd)) V 
({receive _p>kt sr (needid, jd') \ jd' ^ jd})) 

Proof: By Lemma 9.16 Part 1(a), Assumptions (1).3 and (4). 3, 
and Rule MP. 

(5)2. a 2 \= C' (receive _pkt sr (needid, jd)) 

Proof: By Lemma 9.18, Assumption (1).3, Rule MP, and Chan- 
nel Liveness Qch, sr - 

(5)3. a 2 \= mode r = idle Ui 

((receive_pkt sr (needid, jd)) V 
({receive_pkt sr (needid, jd') \ jd' ^ jd})) 

Proof: By (5)1, (5)2, and the definition of ZY;. 

(5)4. a 2 \= 0(rao<ie r = idle A (receive_pkt sr (needid, jd))) V 

0(rao<ie r = idle A ({receive_pkt sr (needid, jd') \ jd' ^ jd}) A 
# o;d needid < k) 

Proof: By (5)3, the definition of ZY 8 -, Assumption (4). 3, and (3)2. 
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(5)5. a 2 \= 0(rao<ie r = accept A jd r = jd) V 

0(rao<ie r = accept A jd r ^ jd A ^ oM needid < k) 

Proof: By (5)4, Lemma 9.16 Part 1(b) and the fact that receiving 
an old needid packet reduces ^ oM needid by one. 

(5)6. 0(rao<ie r = accept A jd r = jd) V 

0(rao<ie r = idle A ^ ; d needid < k) 

Proof: Similar to Case a x |= (mode r = accept A jd r ^ jd) of 
(3)1 above (and (3)2). 

(5)7. Q.E.D. 

Proof: Directly from (5)6. 

(4)2. Q.E.D. 

Proof: From (4)1, The definition of ~~», and Lemma 3.5. 

(3)5. ati \=\/n : 0(mode r = idle A ^ oM needid = n ==?■ 
0(rao<ie r = accept A jd r = jd)) 

Proof: By (3)3, (3)4, Rule Ind, and the definition of ~~». 

(3)6. For some number ra', 

o?! |= 0(rao<ie r = idle A ^ oM needid = n 1 ) 

Proof: Directly from (3)1 when we let n 1 be the value of ^ oM needid in some 
state of o?! where mode r = idle. 

(3)7. cii |= 0(mode r = idle A ^ oM needid = n' ==?■ 
0(rao<ie r = accept A jd r = jd)) 

Proof: By (3)5 and Lemma 3.5 Part 6. 

(3)8. Q.E.D. 

Proof: By (3)6, (3)7, and Rule MP1. 

(2)3. Q.E.D. 

Proof: By the exhaustive cases (2)1 and (2)2. 

(1)2. Q.E.D. 

Proof: By (1)1 using the definition of implication and Lemma 3.5 Parts 2 and 5. 



Now, since the receiver will eventually enter accept mode with the right jd r , eventually the 
sender will receive a (accept, jd s , id) packet as formalized by the following lemma. 

Lemma 9.25 

L\ |= Mjd : 0(0(mode s = needid A jd s = jd A mode r ^ rec) =^ 
O (receive _pkt rs ( accept, jd,_))) 

Proof 

Assume: a e L^' 

Prove: a \= Mjd : U(U(mode s = needid A jd s = jd A mode r ^ rec) =^ 
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<>({receive_pkt rs (accept, jd,_)))) 

(1)1. Assume: 1. jd is arbitrary 

2. o?! is an arbitrary suffix of a 

3. cii |= 0(mode s = needid A jd s = jd A mode r ^ rec) 
Prove: a x |= C'(receive_pkt rs (acceTpt,jd,_)) 

(2)1. a.\ |= 0(mo<ie r = accept A jd r = jd) 

Proof: By Lemma 9.24, Assumption (1), Lemma 3.5, and Rule MP. 

(2)2. Assume: 1. a 2 is a suffix of a 1 such that 

2. a 2 \= mode r = accept A jd r = jd A id r = id 
Prove: a 2 \= C'(receive_pkt rs (acceTpt,jd,_)) 

(3)1. a 2 \= (mode r = accept A jd r = jd A id r = id) Wi 

((receive_pkt sr (send,_, id)) V (receive_pkt sr (done, id))) 

Proof: By Lemma 9.16 Part 2(a), Lemma 3.5, Assumptions (1) and (2), and 
Rule MP. 

(3)2. a 2 \= 0(mode r = accept A jd r = jd A id r = id) 

Proof: By (3)1, Lemma 9.17, Lemma 3.5, and Rule Unl. 

(3)3. a 2 \= 0<}(send_pkt rs (&cceipt,jd, id)) 

Proof: By (3)2, Lemma 9.20 Part 1, Lemma 3.5, and Rule MP. 

(3)4. a 2 \= n<> (receive _pkt rs (accept, jd, id)) 

Proof: The form of Qch, rs implies that since a \= Qch, rs ( a is live) and a 2 is 
a suffix of a, then a 2 \= Qch, rs - This and (3)3 together with Rule MP give 
the result. 

(3)5. Q.E.D. 

Proof: Directly from (3)4. 

(2)3. Q.E.D. 

Proof: By (2)1 and (2)2. 

(1)2. Q.E.D. 

Proof: By (1)1, the definition of implication, and Lemma 3.5. 



Lemma 9.26 

A^ \= 0(0(mode s = needid A mode r ^ rec) =^ C>(mode s = send)) 

Proof 

Directly from Lemma 9.25 and Lemma 9.15 Part 2(b). 



We are now ready to prove the main part of the liveness proof that H ft correctly implements 
G pl , namely, if a is a live execution of H ft and a' is an execution of G pl such that (a, a') £ -Rhg, 



9.4. Correctness of H 185 

then a 1 is live. As usual, we prove this result by contradiction. Thus, we assume that a 1 is not 
live and then derive a contradiction with the fact that a is live. 

Lemma 9.27 

Let a G exec(A\ i ) and a' G exec(A G ) be arbitrary executions of A^ and A P G , respectively, with 
(a, a') G -Rhg- Assume a \= Q H - Then a' \= p(Q G ). 

Proof 

We prove the conjecture by contradiction. Thus, 

Assume: a' \£ p(Q G ) 
Prove: False 

(1)1. a' \= ^WF(p(C GtS/rl ))\/ 

-iD(D(moc?e s = needid A mode r ^ rec) =>■ 0( / o(C , G iS / r 2))) V 

^WF(p(C G ,slr 3 ))y 

-^WF(p(C GtS/r4 ))\/ 

-iVp : (0<>(send_pkt sr (p)) =>■ DO (receive_pkt sr (p))) V 

-i\/p : WF (receive _pkt sr (p)) V 

-i\/p : (O<0'(send_pkt rs (p)) ==?■ 0<>(receive_pkt rs (p))) V 

-Np : WF (receive _pkt sr (p)) 

Proof: Immediate by the Assumption, definition of p(Q G ), and the Boolean operators. 

(1)2. Case: a' \= -,WF(p(C GtS/rl j) 

(2)1. a' \= Oa(mode s G {idle, send, rec}) A Oa^(p(C GiS/rl )) 

Proof: From Case Hypothesis (1) by noting that enabled(p(C GiS / r i)) = (mode s G 
{idle, send, rec}) and by expanding WF. 

(2)2. a \= On(mo<ie s G {idle, send, rec}) A On-i( / o(C , G iS / r i) \ {prepare}) 

Proof: From (2)1 by definition of -Rhg an d by Lemmas 5.10 and 5.11. 

(2)3. a \= On(mo<ie s G {idle, send, rec}) A 

On-i(/o(C G , s /ri) \ {prepare}) A 
<>n^({send_pkt sr (needid, jd) \ jd G JD}) 

Proof: By (2)2 there is a suffix of a where always mode s G {idle, rec, send}. Thus 
we get that no sencLpH sr (needid, _) actions occur in that suffix, since such actions 
are only enabled when mode s = needid. 

(2)4. a \= On(mo<ie s G {idle, send, rec, needid}) A 

On-i(( / o(C G , s /ri) \ {prepare}) U {send_pkt sr (needid, jd) \ jd G JD}) 

Proof: By (2)3 by noting that if mode s is in {idle, send, rec}, it is also in the 
bigger set {idle, send, rec, needid}. 

(2)5. a^^WF(C HtSl ) 

Proof: From (2)4 by using the definitions of WF and C HiS i. 
(2)6. Q.E.D. 

Proof: (2)5 contradicts the assumption that a \= Q H - 
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(1)3. Case: a' \= -^n(0(mode s = needid A mode r ^ rec) =>• 0(p(C G ,s/r2)}) 
(2)1. a' \= 0(n(mo<ie s = needid A mode r ^ rec) A n _i (/o(CG iS / r 2))) 

Proof: Directly from Assumption (1). 
(2)2. a' |= Oa(mode s = needid A mode r ^ rec) A 00^(p(C GiS / r2 )) 

Proof: Directly from (2)1. 
(2)3. a \= On(mo<ie s = needid A mode r ^ rec) 

Proof: From (2)2 by Lemma 5.11 and the definition of -Rhg- 

(2)4. There exists a suffix a x of a such that 

a-y |= 0(mode s = needid A mode r ^ rec) 

Proof: From (2)3 using Lemma 3.5 Part 3. 
(2)5. cii |= 0(mode s = needid A mode r ^ rec) =^ 0(rao<ie s = send) 

Proof: By Lemma 9.26, Lemma 3.5 Part 1, and Rule Par. 
(2)6. cii |= 0(rao<ie s = send) 

Proof: By (2)4, (2)5, and Rule MP. 
(2)7. Q.E.D. 

Proof: (2)6 contradicts (2)4. 
(1)4. Case: a 1 \= -,WF(p(C GtS/r3 j) 

(2)1. a' \= On(mo<ie r = rec V (mode r = rcvd A buf r ^ e) V mode r = ack) A 

ODn(p(C G ,, /rt )) 

Proof: By Assumption (1) and the definitions of WF and enabled(p(C GiS / r3 )). 

(2)2. a \= On(mo<ie r = rec V (mode r = rcvd A buf r ^ e) V mode r = ack) A 
Oo^(p(C GrS/r3 )) 

Proof: From (2)1 by definition of Ru G , the fact that p{C GiS / r3 ) contains external 
actions only, and Lemmas 5.10 and 5.11. 

(2)3. a \= On(mo<ie r = rec V (mode r = rcvd A buf r ^ e) V mode r = ack) A 
On-.(/o(C G , g/r3 )) A 
Oa^({send_pkt rs (zccept,jd, id) \ jd G JD A id G ID}) 

Proof: Since, by (2)2, there is a suffix of a where always mode r G {rec, rcvd, ack} 
we get that no sencLpH rs (accept,_, _) actions occur in that suffix, since such actions 
are only enabled when mode r = accept. 

(2)4. a \= On((mo<ie r = rcvd A buf r ^ e) V mode r G {rec, ack, accept}) A 

OD-i( / o(C GiS /r3) U {send_pkt rs (accept, jd , id) \ jd G JD A id G ID}) 

Proof: By (2)3 by noting that if eventually mode r is always in {rec, rcvd, ack}, 
then it is eventually always in the bigger set {rec, rcvd, ack, accept}. 

(2)5. a^^WP(C Htrl ) 

Proof: By (2)4 using the definition of WF and the fact that C Hi ri = p(C GrS / r3 ) U 
{send _pkt rs (accept, jd , id) \ jd G JD A id G ID}. 

(2)6. Q.E.D. 
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Proof: (2)5 contradicts the assumption that a \= Q H - 

(1)5. Case: a' \= ^WF(p(C GtS/r4 )) 

(2)1. a' \= Oa(mode r ^ rec A nack-buf r ^ e) A 00^(p(C GtS / r4 )) 

Proof: From Assumption (1) by using the definition of WF, and the fact that 
enabled(p(CG iS / ri )) = (mode r ^ rec A nack-buf r ^ e). 

(2)2. a \= Oa(mode r ^ rec A nack-buf r ^ s) A On-i(p(C G , s / r 4)) 

Proof: By (2)1, the definition of Rug, the fact that p{CG iS / ri ) consists of external 
actions only, and Lemmas 5.10 and 5.11. 

(2)3. a\=^WF(C H>r2 ) 

Proof: By (2)2 using the definition of WF and the fact that C Hi r2 = piCc^iri)- 
(2)4. Q.E.D. 

Proof: (2)3 contradicts the assumption that a \= Q H - 
(1)6. Case: a' \= -Np : (n<}(send_pkt sr (p)) =>• DO (receive _pkt sr (p))) 
(2)1. a' \= 3p : (dC> (send _pkt sr (p)) A < 0'O^(receive_pkt sr (p))) 

Proof: Directly from Assumption (1). 

(2)2. There exists m £ Msg and id £ ID such that 

a 1 \= 0<}(send_pkt sr (send, m, id)) A On-i(rece«ue_pH,, r (send, m, «'<i)) 

Proof: By (2)1 and Lemma 3.5 Part 8. 

(2)3. a \= 0<}(send_pkt sr (send, m, id)) A On-i(rece«ue_pH,, r (send, to, «'<i)) 

Proof: By (2)2, Lemma 5.10, and the fact that the actions send _pkt sr (send, m, «'<i) 
and receive_pkt sr (seiid,m,id) are external. 

(2)4. a |= 3p : (0<}(send_pkt sr (p)) A < 0'O^(receive_pkt sr (p))) 

Proof: By (2)3 and Lemma 3.5 Part 7. (Note that the bound variable p ranges 
over all packets of the form (needid, id), (send, m, id), and (done, id), whereas the 
bound variable in (2)1 only ranges over packets of the form (send, m, id).) 

(2)5. a \= ~Np : (0<}(send_pkt sr (p)) ==?■ DO (receive _pkt sr (p))) 

Proof: Directly from (2)4. 
(2)6. Q.E.D. 

Proof: (2)5 contradicts the assumption that a \= Q H - 
(1)7. Case: a 1 \= -Np : WF (receive _pkt sr (p)) 
(2)1. a' \= 3p : ^WF(receive_pkt sr (p)) 

Proof: Directly from Assumption (1). 

(2)2. For some packet p (of the form (send, m, id)), 
a' \= < 0'O^(receive_pkt sr (p)) A Od(p £ sr) 

Proof: By (2)1, Lemma 3.5 Part 8, the definition of WF and since receive _pkt sr (p) 
is enabled when p £ sr. 

(2)3. a \= On->(receive-pkt sr (p)) A On(p £ sr) 
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Proof: By (2)2, Lemmas 5.10 and 5.11, and the facts that receive jpkt sr (p) is exter- 
nal, and if (s,u) G -Rhg an d u \= (p G sr), then s \= (p G sr) (recall that p has the 
form (send, m, id)). 

(2)4. a \= ~Np : WF (receive jpkt sr (p)) 

Proof: Directly from (2)3, Lemma 3.5 Part 7 and the definition of WF . 

(2)5. Q.E.D. 

Proof: (2)4 contradicts the assumption that a \= Q H - 

(1)8. Case: a' \= -Np : (n<>(send_pkt rs (p)} =>• DO (receive _pkt rs (p)}) 

Proof: Similar to (1)6. 

(1)9. Case: a' \= -Np : WF (receive _pkt rs (p)) 

Proof: Similar to (1)7. 

(1)10. Q.E.D. 

Proof: By (1)1 and the exhaustive cases (1)2— (1)9. 



With this result, the simulation result of the previous section, and Lemma 5.9 we can prove that 
H ft correctly implements G pl . 

Lemma 9.28 
W C L G"' 

Proof 

Immediate by Lemmas 9.13, 9.27, and 5.9. 



And, finally, we can prove that H correctly implements G. 

Theorem 9.29 

HC L G 

Proof 

By Lemma 9.28 and Lemma 5.15 we get 

H' C L G"' 
which by substitutivity (Lemma 2.16) implies 

H' \ A H C l G"' \ ^ H 
Then, by the definition of p, An, and Aq we get 

H' \ ^ H El G"' \ p(A G ) 
Now, since p only renames actions which are subsequently hidden, this implies 

H' \ ^ H El G' \ A G 
which finally, by definition, yields the result 

H&G 
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Due to the fact that the correct implementation relation C L is a preorder, we get the overall 
result that H correctly implements S and thus solves the at-most-once message delivery problem. 

Theorem 9.30 

Proof 

By Theorems 7.18, 8.19, and 9.29, and the fact that the subset relation, and thus the correct 
implementation relation (cf. Definition 2.15), is transitive. 



We now move to the timed setting to consider the Clock-Based Protocol C. 



Chapter 10 

The Clock-Based Protocol C 



The second and last low-level protocol we consider in this work is the Clock-Based Protocol of 
[LSW91], which in this work is denoted by C. As the name suggests the functionality of the 
protocol depends on the sender and receiver having access to certain clocks. Specifically, the 
sender and the receiver each has a local clock which is required to deviate from real time by at 
most some constant amount, called the clock skew. The C protocol thus consists of a sender, a 
receiver, two channels, and a special clock subsystem that guarantees that the local clocks are 
almost synchronized with real time. This structure is depicted in Figure 10.1. We model the 
clock subsystem as a live timed I/O automaton that issues ticks to the sender and the receiver. 
Exactly how to implement a clock subsystem in a distributed system falls outside the scope of 
this work [LMS85]. 

C is a timed protocol. Besides having the clock subsystem, we shall assume that channel 
delays and the maximum time difference between certain process steps are bounded. Thus, each 
component of C is specified as a live timed I/O automaton, and consequently C itself is a live 
timed I/O automaton. 

The specification S is modeled as an (untimed) live I/O automaton since the problem state- 
ment did not mention time at all. In Section 2.3 we discussed what it means to implement 
an untimed specification by a timed implementation. The idea was to to consider the untimed 
specification as a timed system that allows tome to pass arbitrarily as long as possible liveness 
assumptions are satisfied. For this reason the operator patient on safe and live I/O automata 
was introduced. 

We could have removed all liveness assumptions from C and used timing assumptions instead. 
However, then it would have been difficult to see which timing requirements were actually needed 
to guarantee the correctness of C and which were just additional timing requirements. Thus, 
we introduce the minimum timing requirements and otherwise use liveness to guarantee the 
progress of the system. This means that all external actions of C, which are subject to liveness 
requirements in S, will be given liveness requirements in C, whereas certain internal actions, 
like channel communication, will be given timing requirements. With this approach we cannot, 
of course, prove any maximum response time on, e.g., acknowledgements ack(b) but if such a 
response time is important, it should have been specified in S. Instead S just assumes that the 
final implementation is "fast enough". 

The rest of the chapter is organized as follows. First, in Section 10.1, we present the clock 
subsystem. In Section 10.2 we specify timed versions of the channels. Then, in Section 10.3, we 
specify the sender and receiver and furthermore intuitively describe how the C protocol works. 
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Figure 10.1 

The Clock-Based Protocol C. 



Section 10.4 shows how C is obtained from its subprocesses and Section 10.5 then considers the 
correctness of C. Section 10.6 discusses a "weak" version of C, where the timing assumptions 
are removed, and finally Section 10.7 considers a version of C that works for a single receiver 
but multiple senders. 

10.1 The Clock Subsystem 

The clock subsystem is specified as a live timed I/O automaton CI = (Aci,L C i)- We use the 
explicit specification style (cf. Section 4.2.1) to specify Aqi and specify L C \ by an environment- 
free timed liveness formula Q C \ for Aqi- 

10.1.1 States and Start States 

Aci contains three state variables: now is as usual real time (ranging over T which equals the 
nonnegative real number), and ctime s and ctime s remember the last clock value sent to the 
sender and receiver, respectively. 



Variable 


Type 


Initially 


Description 


now 


T 





Real time 


ctime s 


T 





Last clock value sent to the sender. 


ctime r 


T 





Last clock value sent to the receiver. 



10.1.2 Actions 

Input: 
none 

Output: 

tick s (t), t G T 
tickr(t), t £ T 

Internal: 
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Time-passage: 
v 

10.1.3 Steps 

The clock subsystem is responsible just for performing outputs of the form tick s (t) and tick r (t). 
This clock subsystem is constrained to produce ticks that have the property that, at any real 
time now, the most recent tick at either station has value within e of now. Thus, e, which is 
positive, denotes the clock skew. In addition, each local clock is nondecreasing, that is, successive 
tick s (t) events have nondecreasing values of t, and similarly for successive tick r (t) events. 

tick s (t) v (time-passage) 

Precondition: Precondition: 

ctime s < t A now < t A 

\t — now\ < c \ctime s — t\ < e A 

Effect: \ctime r — t\ < e 

ctime s := t Effect: 

now := t 
tick r (t) 

Precondition: 
ctime r < (A 
\t — now\ < e 
Effect: 

ctime r := t 

It is easy to see that Aqi is in fact a safe timed I/O automaton, i.e., that is satisfies the five 
axioms in Definition 2.17. Clearly SI is satisfied and since the tick s (t) and tick r (t) do not change 
the value of now, also S2 is satisfied. S3 is satisfied since the first conjunct in the precondition 
of the step rule for v explicitly requires real time to increase in time-passage steps. Also clearly, 
if (s, v, s') and (V, v, s") are steps, then (s, //, s") is a steps, so S4 is satisfied. For the trajectory 
theorem S5, assume that (s,u, s') is a step. Then s.ctime s = s' .ctime s and s.ctime r = s' .ctime r . 
So, the mapping from the interval [s. now, s'. now] to states, which to each time t returns the 
state [now \-+ t, ctime s \-+ s.ctime s , ctime r \-+ s.ctime r ] is a trajectory from s to s'. 

10.1.4 Liveness 

We need no liveness restriction (other that normal admissibility). Thus, L C \ should consist of 
all admissible timed executions of Aqi- This is specified by an environment-free timed liveness 
formula Q C \ for Aqi as follows. 

Qci = true 

It is easy to see that true actually induces the liveness condition consisting of all admissible 
timed executions of Aqi- However, generally it is not the case that true is an environment-free 
timed liveness formula for a safe timed I/O automaton. However, for the clock subsystem it is 
the case. The proof obligation is to show that there exists a (timed) strategy defined on Aqi 
such that any outcome of the strategy can only consist of admissible and Zeno-tolerant timed 
executions. But this is clearly the case. First of ah the clock subsystem has no inputs. So, 
the / function of the strategy should simply be defined to provide one tick s (t) step and one 
tick r (t) step every e time units (remember that e is positive). Then any outcome will consist of 
admissible timed executions only. 
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10.2 The Timed Channels 

The channels we use to connect the sender and the receiver in C are basically the same as the 
channels we used in G and H. That is, an attempt to send a packet on a channel leads to zero 
or more copies (a finite number) of the packet being put into the channel. The channels we used 
in G and H furthermore had some liveness restrictions: if we made infinitely many attempts to 
send a packet, then infinitely many copies would get through. 

Now, the C protocol needs certain timing assumptions about the channels. Not only should 
the channel delay — once a packet has been successfully placed in the channel — be bounded; it is 
also necessary to assume an upper bound on the number of attempts needed before a packet has 
been successfully placed in the channel. Thus, the timed channels should satisfy the following 
properties. 

1. For each packet p l5 if k attempts (for some positive channel retry number k) are made to 
send pi, then at least one copy of p x is put in the channel — even though the k attempts 
may be interspersed with attempts to send other packets p 2 . 

2. When a copy of a packet is successfully put in the channel, the copy will be delivered at 
the other end of the channel after at most the positive channel delay time d. 



We give an explicit specification of the timed channel Ch sr = (A C h* , -^ch* )• The specification 
of the other channel Ch rs = (A C h* , -^ch* ) is similar (and obtained by replacing sr with rs). 

10.2.1 States and Start States 

The timed channel needs, as usual, a now variable to specify real time. As before the main state 
variable is a multiset sr. However, in order to specify that each packet must leave the channel 
at most time d after it entered the channel, we need to mark each packet with a send time (not 
to be confused with the identifier timestamp we associate with messages). Thus, the multiset 
contains elements of the form (p,t), where p is a packet and t is the real time when p entered 
the channel. Furthermore, to specify that after at most k attempts to send a packet, the packet 
has been successfully put into the channel, we have for each packet p a variable count sr (p) which 
counts the number of unsuccessful attempts to send p. 



Variable 


Type 


Initially 


Description 


now 


T 





Real time 


sr 


B(P x T) 





A multiset of packets together with the time 
when the packets were sent. 


count sr (p) 


N 





For each p £ P, count sr (p) contains the 
number of unsuccessful attempts to send p 
since last successful attempt. 



Define packets(sr) to be the multiset of packets in sr, i.e., the multiset obtained by removing 
all send times t' from all elements (p,f) in sr. 
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10.2.2 Actions 

Input: 

send_pkt ST (p), p £ P 
Output: 

receive _pkt sr (p), p £ P 
Internal: 

none 
Time-passage: 

v 

10.2.3 Steps 

send_pkt sr (p) receive _pkt sr (p) 

Effect: Precondition: 

let ps be a finite multiset of (p, now) such that (p> ^) £ sr 

ps ^ if count sr(p) = k — 1 Effect: 

sr := sr U ps sr := sr \ {(p, t)} 

if ps ^ then 

count sr (p) : = 
else 

count sr (p) := count sr (p) + 1 

j/ (time-passage) 
Precondition: 

i > now A 

V(p,i') £ sr : (t< t' + d) 
Effect: 

now := t 

Note, that the operators U in send _pkt sr (p) and \ in receive _pkt sr (p) are operators on multisets, 
e.g., sr \ {(p,t)} removes one copy of (p, t) from sr. 

As for the clock subsystem it is easy to see that A C h* is in fact a safe timed I/O automaton. 

10.2.4 Liveness 

We need no liveness restriction (other that normal admissibility). Thus, £ch* should consist of 
all admissible timed executions of A C h* • This is specified by an environment-free timed liveness 
formula Qch* f° r ^4ch* as follows. 

Qchl = true 

Qch* clearly is an environment-free timed liveness formula for A C h* • The g function of a (timed) 
strategy could be defined to add one copy to sr every time send _pkt sr (p) occurs. The / function 
of the strategy should then simply be defined to wait the maximum time (d) before outputting 
a packet again. In this way (since d is positive), if the environment provides Zeno input, the 
resulting outcome will be Zeno-tolerant. In ah other cases the outcome will consist of admissible 
timed executions only. That suffices. 

10.3 The Sender and the Receiver 

Above we have specified the clock subsystem and the timed channels explicitly as live time 
I/O automata. To specify the sender and receiver processes in C, we use the implicit approach 
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introduced in Section 4.2.1. That is, we describe the automaton part of both the sender and re- 
ceiver live timed I/O automaton as MMT-specifications (cf. Definition 4.9) A MMTiS an d A MMTiT , 
respectively. 

When formally defining steps( A MMT s ) and steps(A MMT r ) below, we furthermore provide an 
intuitive description of the functionality of C. 

10.3.1 States and Start States 

Sender 

The identifiers used to tag messages at the C level are taken from the sender's local clock and 
are thus also called timestamps . Thus, the domain of the variable last s , which contains the 
current timestamp, is T. The sender's local clock is contained in time s . This variable must be 
stable, i.e., it must survive a crash. 



Variable 




Type 


Initially 


Description 


modes 




{idle, send, 
rec} 


idle 


The mode of the sender. Compared 
to G, the sender does not need a spe- 
cial needid mode. Instead the sender 
enters send mode directly from idle 
mode. 


bufs 




Msg* 


e 


The list of messages at the sender side. 
Same as at the G level. 


time s 


S 


T 





The sender's local clock. 


current-msg s 




Msg U {nil} 


nil 


The message about to be sent to the 
receiver. Same as at the G level. 


lasts 




T 





The timestamp chosen for the current 
message. Same as at the G level. 


current- ack s 




Bool 


false 


Acknowledgement from the receiver. 
Same as at the G level. 


S = Stable 



Receiver 

The receiver's local clock is called time r and as for the sender's local clock, it must be stable. 
The receiver also contains the variables lower r and upper r , both ranging over T. The role of 
these variables is to delimit the interval of timestamps that the receiver will accept. The variable 
upper r , which is stable, is initialized to the special timing constant (3. Exactly how lower r and 
upper r are manipulated and what the properties of (3 must be will be described below. The final 
new variable is rm-time r . This variable holds the timestamp of the last message delivered to the 
user and is used to calculate when the receiver can safely clean up its state. This mechanism is 
also described below. 
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Variable 




Type 


Initially 


Description 


mode r 




{idle, rcvd, 
ack, rec} 


idle 


The mode of the receiver. Same as at 
the G level. 


buf r 




Msg* 


e 


The list of messages accepted. Same as 
at the G level. 


time r 


S 


T 





The receiver's local clock. 


last r 




T 





The timestamp of the last message 
accepted. 


lower r 




T 





A lower bound on the timestamp of a 
new message that can be accepted. 


upper r 


S 


T 


(1 


An upper bound on such a timestamp 


rm-time r 




TU {00} 


00 


Remembers the value of the local clock 
when the last message accepted was 
delivered to the user. Is used for clean- 
up purposes. 


nack-buf r 




T* 


e 


The list of timestamps for which 
the receiver will issue a negative 
acknowledgement . 


S = Stable 



10.3.2 Actions 

Sender 

Input: 

send_msg(m), m £ Msg 

crash s 

receive _pkt rs (t, b), t £ T, b £ Bool 

tick s (t), t £ T 
Output: 

ack(b), b £ Bool 

recover., 

send_pkt sr (m,t), m £ Msg, t £ T 
Internal: 

choose Jd(t), t £ T 



Receiver 

Input: 

crash r 

receive _pkt sr (m,t), m £ Msg, t £ T 

tickr(t), t £ T 
Output: 

receive _msg(m),m £ Msg 

recover r 

send_pkt(t, b), t £ T, b £ Bool 
Internal: 

increase-lower r (t), t £ T 

increase-upper r (t), t £ T 

cleanup r 
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10.3.3 Steps 

We now provide the formal definition of the steps of the underlying automata in the MMT- 
specifications of the sender and receiver. As always we list the definition of the steps of the 
sender in the left column and the definition of the steps of the receiver in the right column. 
However, first we provide the intuition behind the functionality of C. 

Informally C works as follows during normal mode of operation. The sender associates in a 
chooseJd(t) step the timestamp t with the next message it wishes to transmit. The timestamp 
is obtained from the sender's local clock time s , so the precondition for chooseJd(t) guarantees 
that the local clock has advanced since the last time a timestamp was chosen (last s ). The sender 
is now in send mode and starts to transmit repeatedly the current packet over the channel to 
the receiver. The time between every retry, as we shall see formally in Section 10.3.6, is at most 
the constant l s . Based on this constant and the channel characteristics, it is possible to derive 
the maximum delay before the current packet is received. 

The receiver now uses the associated timestamp to decide whether or not to accept a received 
message — roughly, it will accept a message provided that the associated timestamp is greater 
than the timestamp of the last message that was accepted, which is kept in last r . However, the 
receiver does not always remember the timestamp of the last accepted message: it might forget 
this information because of a crash, or simply because a long time has elapsed since the last 
message was accepted and it is no longer efficient to remember it (see below). Therefore, the 
receiver uses safe time estimates determined from its own local clock (time r ) to decide when 
to accept a message. The estimates are kept in lower r and upper r ; the receiver accepts if the 
message's timestamp is in the interval (lower r , upper r ]. 

The lower y bound is designed to be at least as big as the time of the last message accepted. It 
can be bigger, however, but in this case is must be sufficiently less than the receiver's local time 
(at least a maximum one-way message delay (plus a double clock skew) less). This is because 
the receiver should not accidentally fail to accept a valid message that takes the maximum time 
to arrive. We note that the reason why we do not want to remember just the last timestamp is 
that we envision using this protocol in parallel for many users, and a single lower y bound could 
be used for all users that have not sent messages for a long while. The special timing constant 
p signifies the amount by which lower y must be kept smaller than time r when incremented in 
increase-lower r (i) steps. In Section 10.3.6 we show how p should be related to the other timing 
constants of the system. 

The upper r bound is chosen to be big enough so that the receiver still accepts the most recent 
messages, even if they arrive very fast. That is, it should be somewhat larger than the current 
time (at least a double clock skew larger). But this bound is kept in stable storage, and therefore 
should not be updated very often. Thus, it will generally be set to be a good deal larger than the 
current local time. When we present the timing constraints in Section 10.3.4 below, we show that 
at most some time l' r elapses between every time upper r is increased (in an increase-upper r (t) 
step). The timing constant /3, which occurs in the definition of increase-upper r (t) below, then 
has to be properly related to l' r in order to guarantee that upper r is always big enough. 

Unlike the H protocol, C will not continuously issue positive acknowledgements for the last 
packet successfully received. Instead it only issues one positive acknowledgement and returns 
to idle mode (cf. the definition of the send_pkt rs (t, true) steps below). If this packet is lost 
in the channel, eventually the receiver will receive another copy of the current packet; this will 
change mode r to ack and a new positive acknowledgement will be issued. After at most k retries, 
(t, true) is successfully placed in the buffer and after at most d time units thereafter, the sender 
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will receive the acknowledgement. Once sendjpkt rs (t, true) is enabled, it must occur within l r 
time units unless it is disabled in the meantime. This upper bound will be important in order 
to specify when the receiver is allowed to clean up its state. 

This completes a normal cycle of the sender and receiver. After the formal definition of the 
steps, we return to the description of the special cleanup r action and what can happen due to 
crashes and recoveries. 

send_msg(m) 
Effect: 

if mode s ^ rec then 
buf s := buf s ~ m 

choose Jd(t) 

Precondition: 

mode s = idle A 

buf s / e A 

time s = t A 

t > last s 
Effect: 

mode s : = send 

last s := t 

current-msg s := head(buf s ) 

buf s := tail (buf s ) 



send_pkt ST (m, t) 
Precondition: 

mode s = send A 

current-msg s = m A 

lasts = t 
Effect: 

none 



receive _pkt sr (m, t) 
Effect: " 

if mode r ^ rec then 

if lower r < t < upper r then 
mode r := rcvd 
buf r := buf r ~ m 
last r := t 
rm-time r := oo 
lower r := t 
else if last r < t < lower r then 

nack-buf r := nack-buf r ~ t 
else if mode r = idle A last r = 
mode r := ack 



t then 



receive jmsg(m) 
Precondition: 

mode r = rcvd A 
buf r / e A 
head(buf r ) = m 
Effect: 

buf r := tail(buf r ) 
if buf r = e then 
mode r := ack 
rm-time r := time r 
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receive _pkt rs (t, b) 
Effect: 

if mode s = send A last s 
mode s : = idle 
current-ack s := b 
current-msg s : = nil 



t then 



send_pkt rs (t, true) 
Precondition: 

mode r = ack A 

last r = t 
Effect: 

mode r : = idle 



ack(b) 

Precondition: 

mode s = idle A 

buf s = e 

current-ack s = b 
Effect: 

none 



send_pkt rs (t, false) 
Precondition: 

mode r ^ rec A 

nack-buf r /eA 

head(nack-buf r ) = t 
Effect: 

nack-buf r := tail(nack-buf r ) 



crash s 
Effect: 

mode s := rec 



crash r 
Effect: 

mode r := rec 



recover s 

Precondition: 

mode s = rec 
Effect: 

mode s := idle 

lasts := time s 

buf s := e 

current-msg s := nil 

current-acks '■= false 



recover r 

Precondition: 

mode r = rec A 
upper r + 2e < time r 

Effect: 

mode r := idle 
last r := 
rm-time r := oo 
buf r := e 
lower r := upper r 
upper r := time r + fi 
nack-buf r := e 



increase-lower r (t) 
Precondition: 

mode r ^ rec A 

lower r < t < time r — p 
Effect: 

lower r := t 

increase-upper r (t) 
Precondition: 

mode r ^ rec A 

upper r < t = time r + fi 
Effect: 

upper r := t 

cleanup r 

Precondition: 

mode r G {idle, ack} A 

time r > rm-time r + a 
Effect: 

mode r := idle 

last r := 

rm-time r := oo 



ticks(t) 
Effect: 
time s 



tickr(t) 
Effect: 

time r := t 
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All that needs to be kept in stable storage is just the local clocks time s and time r , plus the 
one variable upper r of the receiver. When the receiver side crashes and recovers again (cf. the 
definition of recover,, above), it resets its lower , bound to the old upper r bound, to be sure 
that it will not accept, and thus deliver, any message twice. This explains why we cannot just 
set upper , to infinity. It also explains another detail: the precondition for the recover, steps 
requires the local clock to grow beyond upper, + 2e before recovery can take place. This is 
because otherwise the new lower, bound would be too big compared to time, which could lead 
to the rejection of a very fast message sent to the system after the recovery of the receiver. If 
we were to allow such a rejection, C would not correctly (or even safely) implement S since S 
only allows the loss of messages which are in the system between crash and recovery. 

The way the receiver informs the sender that the sender is in a bad send state is similar 
to the way this is done at the G level: when the receiver receives a packet (to, t) where t is 
not between lower, and upper,, it should issue a negative acknowledgement for t. However, 
if t < last,, the receiver has already successfully received a message with a later timestamp, 
so (to, t) cannot be the current packet of the sender. In this situation the receiver does not 
issue the negative acknowledgement. (Note, that due to crashes or clean-ups (see below), the 
receiver may forget last,. However, in this case last, = 0, and the receiver will issue negative 
acknowledgements for all "bad" timestamps and, in particular, the current one.) 

Finally we consider the clean-up mechanism of the sender. When a long time has elapsed 
since the receiver started to issue positive acknowledgements for the last packet accepted, it can 
be sure that the sender has received the acknowledgement, and is thus allowed to forget last, 
and move to idle mode. This is specified in the definition of cleanup, above. Section 10.3.6 
describes how large the timing constant a occurring in the precondition should be. 

10.3.4 Timing Constraints 

We can now specify sets(A MMTiS ), boundmap(A MMTs ), sets(A MMTi ,), and boundmap( A MMT ,) 
and thus complete the MMT-specifications of the sender and the receiver. 

Sender 

The correctness of C depends on an upper bound on the send_pkt sr (m,t) actions of the sender. 
Thus, sets(A MMTiS ) contains only one set of locally-controlled actions and boundmap(A MMTs ) 
then associates a lower and upper bound on this set. Formally we have 



C H C s = {send_pkt sr (m,t) \ m G Msg A t G T} 



and 



HCh.) = o 

where l s is a positive real. 

Receiver 

Similarly, as mentioned above we put bounds on two sets of locally- controlled actions of the 
receiver. The two constants I, and V, are both positive reals. 

Cq rl = {send _pkt rs ( id, true) \ id G ID} 
Cq , 2 = {increase-upper,(t) \ t G T} 
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and 

HCh,rl) = 
"u\yc,rl) = '•r 

b,(C% 2 ) = 
0t,(C Cr2 ) = l r 

10.3.5 The Sender and Receiver Safe Timed I/O Automata 

The safe timed I/O automata of the sender and receiver processes in C are now given by (cf. 
Definition 4.10) 

A c ,s = time(A MMTiS ) 
A c , r = time(A MMT _ r ) 

10.3.6 Derived Timing Constants 

Before we specify the liveness requirements for the sender and receiver processes of C, we return 
to the three timing constants /3, p, and a occurring in the definition of the steps of the sender 
and receiver, and show how they should be related to the other timing constants. We give the 
intuition behind the constants, and in the proofs in Section 10.5 we show that the properties of 
the constants actually guarantee correctness. We first repeat the other timing constants, which 
are all positive reals: 

e The maximum clock skew from real time (at both the sender and receiver side). 

l s An upper time bound between retransmissions of message packets (to, t) from the sender. 

l r An upper time bound between retransmissions of positive acknowledgement packets (t, true) 
from the receiver. 

l' r An upper bound between increase-upper r (t) steps of the receiver. (This upper bound will 
usually be bigger than l r since increase-upper r (t) writes to stable storage.) 

d An upper bound on channel delay. 

Furthermore, the channel retry number A; is a fixed positive integer, which represents the number 
of retries that will guarantee delivery of a packet. 

We consider /3, p, and a one by one. 

The Timing Constant (3 

The timing constant (3 occurs in the definition of the increase-upper r (t) steps above and indicate 
the amount by which upper r should be set bigger than time r . Assume that the sender's local 
time is e ahead of real time and the receiver's time is e behind. If the sender picks a timestamp 
for the current message and this message arrives very fast (in fact arbitrarily fast since we have 
no lower bounds in the system) at the receiver, the timestamp of this message will be 2e larger 
than the receiver's local time. Since the message must be accepted, upper r must be at least 2e 
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larger than time r at any moment (where the receiver is not crashed). When increase-upper r (t) 
has occurred, it will recur before V r time units. Thus, (3 should satisfy 

(i > 2e + l' r 

Note, the smaller (3 is, the more often increase-upper r (t) steps (and thus writes to stable storage) 
are required to happen. On the other hand, if (3 is chosen too big, recovery will be delayed (cf. 
the definition of recover,.). 

The Timing Constant p 

The timing constant p occurs in the definition of the increase-lower r (t) steps above and indicate 
the amount by which lower r must be smaller than time r . The p bound should guarantee that 
very slow messages from the sender will still be accepted. Assume the sender's local time is e 
behind real time and the receiver's local time is e ahead. By the time the sender associates a new 
timestamp t with the current message, t = time r — 2e. Now, the sender will succeed in placing 
the current packet in the channel after at most k retries and the delay between each retry is at 
most l s . Thus, after kl s time units, from the time the timestamp was chosen, the current packet 
must have been placed in the channel, and after at most d time units the packet will be received. 
Thus, during the time of transmission, the receiver's local time has increased by at most kl s + d 
time units (it cannot have increased by more since it was already the maximum amount ahead 
of real time). We finally get that the timestamp t will be time r — kl s + d + 2e at the time of 
receipt in this worst case. Thus, 

p > kl s +d+ 2e 

The Timing Constant a 

We finally consider a which occurs in the definition of cleanup, . Clearly, a is the most compli- 
cated of the timing constants. 

There is no bound on how fast new packets can arrive at the receiver, nor are there bounds 
on how fast the receiver delivers accepted messages to the user. The a bound has to indicate 
the first time by which it is no longer necessary to remember last r . This bound thus has to be 
calculated from the time the last message accepted (i.e., the message for which last r gives the 
timestamp) is delivered. 

We consider a situation where neither the sender nor the receiver crashes. 

Let now rm be a real time when receive _msg(m) occurs and buf r becomes empty, and let 
time rrm be the corresponding value of time r . Also, let now send . acki denote the real time when 
the receiver performs its ith send _pkt rs (t , true) step for the current timestamp t (contained in 
last r ). We have, 

now send . ackA < now rm + l r 

The maximum delay until the receiver receives (to, t) again is kl s + d. (Just before the receiver 
performed send _pkt rs (t , true) the sender might have succeeded in putting a copy of (m,t) into 
the channel, and this copy could be fast such that it arrives with no delay at the receiver, i.e., 
just before send _pkt rs (t , true). Since such copies are not buffered by the receiver, the receiver 
has to wait for the next copy which arrives after at most kl s + d time units.) Thus, 

now send . acki2 < now send . ackA + (kl s + d + l r ) 
= now rm + l r + (kl s + d + l r ) 
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And for the kth. send _pkt rs (t , true), 

now send-ack,k < now send-ack,k- 1 + (kl s + d + l r ) 

= now send . acktk _ 2 + 2(kl s + d + l r ) 

= now send _ ackyl + (k - l)(kl s + d+ l r ) 
= now rm + l r + (k — l)(kl s + d + l r ) 

Now, let now ack . rcvd be the real time when (t, true) is received by the sender and let time rack _ rcvd 
be the corresponding value of time r . 

now ack-rcvd < now send-ack ,k + d 

= now rm + l r + (k — l)(kl s + d + l r ) + d 
= now rm + A;(/ r -\- d) -\- (k — l)kl s 

Since iime r — e < now and iime r + e > now, we have 

Wnie rack _ rcvd t \ nOW ack-rcvd 

< now rm + A;(/ r -\- d) -\- (k — l)kl s 

< time rrm + e + k(l r -\- d) -\- (k — l)kl s 

Thus, 

tirne rack _ rcvd <. time rrrn -\- K(i r -\- a) -\- (k IJfc's + £e 

Since the state variable rm-time r of the receiver is set to time rrm at the time of the last 
receive _msg(m) step, we see from the definition of cleanup,, that a should satisfy 

a > k(l r + d) + (k - l)kl s + 2e 

Note that 

• a depends on k 2 (but fortunately not on k 2 d). 

• the 2e in a is actually not obtained as the maximum difference between sender and receiver 
clocks but as two times the maximum receiver clock skew. 

10.3.7 Liveness 

The liveness requirements to the sender and receiver processes of C are weak fairness to sets of 
locally-controlled actions. 

Sender 

Let 

Cc, s = {ack(true), ack(false), recover s } U 
{chooseJd(t) \ t £ T} U 
{send_pkt sr (m, id) \ m £ Msg A id £ ID} 
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Then the liveness condition L Cs is induced by 

Qc, s = WF(Cc, s ) 

Note, that it is actually not necessary to add the send_pkt sr (m, id) actions to Cc, s since these 
actions are already constrained by the stronger timing requirements. 

In the untimed setting weak fairness to locally-controlled actions is trivially environment-free. 
This is not necessarily the case in the timed setting. The problem is that even with the simple 
weak fairness requirements, the system might still collaborate with a Zeno environment and 
generate outcome timed executions that are not Zeno-tolerant. However, Qc, s is environment- 
free for A c<s - Intuitively, consider a strategy that for actions in C c s always waits the maximum 
delay l s before performing an action in C c s . The actions in Cc, s should then be handled 
similarly with some arbitrary positive real number as bound. If the sets C c s and Cc, s becomes 
disabled, there are no requirements so the strategy should just let time pass forever. With this 
strategy, if the environment is not Zeno, each outcome timed execution will be in i Cs , and if 
the environment is Zeno, each outcome timed execution will be Zeno-tolerant. 

Finally note that, by Proposition 3.4, Qc, s is stuttering-insensitive. 

Receiver 

Similarly, let 

Cc,ri = {recover,.} U {receive _msg(m) \ m £ Msg} U 

{send_pkt rs (id, true) \ id £ ID} 
C c ,r2 = {send-pkt rs (t, false) \ t £ T} 

Then L c<r is induced by 

Q C ,r = WF(Cc,rl) A 

WF(C C ,r2) 

As for the sender, Qc, r is stuttering-insensitive and environment-free for A c<r - 

10.4 The Specification of C 

C is the parallel composition of sender, receiver, two channels, and clock subsystem. First define 
C" = (A£,Z£)as, 

C" = C,||C r ||Ch* r ||Ch*„||Cl 
By Proposition 4.17, Lq is induced by Q c , which is defined as 

Qc = Qc, s A Q C ,r A Qch* r A Qch* r , A Qci 

C" has channel communication as well as ticks from the clock subsystem as external (output) 
actions. To obtain a specification where the ticks are hidden, define 

A' c = {ticket) | t £ T} U {ticket) \ t £ T} 

Then C = (A' C ,L' C ) is defined as 

C = C" \ A' c 
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By Proposition 4.18, L' c is induced by Q c . 

Finally, to get C, we hide the channel actions. First define 

A c = {send_pkt sr (m,t) \ m G Msg A t G T} U 

{receive _pkt sr (m,t) \ m G Msg A t G T} U 
{send_pkt rs (t,b) \ t G T A b G Bool} U 
{receive _pkt rs (t,b) \ t G T A b G Bool} 

Then the specification of C = {A c ,Lc) is given by 

C = C'\A C 
Again, by Proposition 4.18, L c is induced by Q c - 

We now turn to proving the correctness of C. This involves, among other things, use of the 
Embedding Theorem of Section 2.3. 

10.5 Correctness of C 

The objective of this section is to prove correctness of C — not with respect to G but with respect 
to the patient version of G. Then the Embedding Theorem of Chapter 2 will allow us to conclude 
that C correctly implements patient(S). 

First, recall that the G protocol uses a set ID of identifiers that has to satisfy certain 
conditions (cf. Section 8.1). We instantiate this set with the time domain T, which clearly 
satisfies the conditions. Thus, we set ID = T in the proofs below. 

Next, recall from Section 9.4 that we first proved that H' correctly implements G', where 
H' and G' are the versions of H and G with channel communication as external actions. This 
was because the Execution Correspondence Theorem gives a stronger result the more external 
actions the systems have in common. The same motivation leads us first to consider the proof 
that C correctly implements patient(G'). Thus, let G pl = (A G ,L G ) be defined as 

G p ' = patient(G r ) 

By Proposition 4.22, L P G is induced by Q G and Q G is minimal. 

In order to prove that C correctly implements G p/ , we first enhance C with history variables 
and thereby obtain C h = (A c ,L C ). We then prove several invariants of A c and show the 
existence of a timed refinement mapping from A c to A G . Finally, this refinement result is used 
to prove that C h correctly implements G pl and, in turn, that C correctly implements patient(S). 

10.5.1 Adding History Variables 

We add two history variables to C and denote the resulting live timed I/O automaton by 

C h ' = (A c ',L c '). 



Variable 




Type 


Initially 


Description 


used s 


H 


T* 


e 


The list of timestamps used by the 
sender. Same as at the G level. 


deadline 


H 


TU {oo} 


00 


An estimated deadline on arrival of the 
current packet. 


H = History 
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We now show how the history variables should be updated (cf. Section 9.4.1 where history 
variables are added at the H level). We refer to Section 5.2.5 for a description on how we are 
allowed to manipulate the history variables. 

choose Jd(t) 

Precondition: 

(* Precondition from C s *) 

Effect: 

(* Effect clause from C s *) 

used s := used s ~ t 
if mode r ^ rec then 

deadline := now + kl s + d 

receive _pkt sr (m, t) 
Precondition: 

(* Precondition from Ch, r *) 

Effect: 

(* Effect clause from Ch, r *) 

(* Effect clause from C r *) 
if mode r ^ rec then 

if lower r < t < upper r then 

if t = last s A mode s = send then 
deadline : = oo 
else if last r < t < lower r then 

else if mode r = idle A last r = t then 



crash s 
Effect: 

(* Effect clause from C s *) 



crash r 
Effect: 

(* Effect clause from C r *) 



deadline := oo 



deadline := oo 



By Lemma 5.32, Lq is induced by Q 



c- 



10.5.2 Invariants 

In this section we state the invariants of Aq we need below. The proofs are deferred to Ap- 
pendix C. 

The first invariant deals with the local clocks of the sender and receiver in Aq and states 
that the maximal clock skew for these is e, which then implies that time s and time r can differ 
by at most 2e. 

Invariant 10.1 

1. time, = dime. 



2. time r 



ctime r 
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3. \time s — now\ < e 

4. \time r — now\ < e 

5. \time s — time r \ < 2e 
■ 

When the receiver is not in recovery mode, upper r is updated regularly to ensure that timestamps 
chosen by the sender are never "too big". This is expressed by the following invariant. 

Invariant 10.2 

1. If mode r j^ rec then upper r > now + e 

2. If mode r ^ rec then upper r > time s 

3. If mode r ^ rec then upper r > time r 



The following invariant deals with last s . Since the local clock time s can never decrease and due 
to the facts that the current timestamp is taken from time s , and last s gets reset to time s after a 
crash, it is the case that last s is always greater than or equal to time s . Furthermore, the current 
timestamp (i.e., the value of last s when mode s = send) can never be 0. 

Invariant 10.3 

1. last s < time s 

2. If mode, = send then last. > 



The state variable last r contains the timestamp of the last message accepted by the receiver (or 
right after recovery or cleanup). The next invariant states that the value of last r can never be 
considered a good timestamp by the receiver. (Otherwise the receiver could accidentally accept 
the same packet twice). Specifically, last r is always less than or equal to lower y. Furthermore, 
lower r is always less than or equal to upper r . 

Invariant 10.4 

1. last r < lower r 

2. lower r < upper r 



The next invariant states that the number of unsuccessful attempts (since the last successful 
attempt) to send a packet (m,t), where t > last s , is always 0. Actually, no attempts can ever 
have been made to transmit (to, t) since the sender cannot yet have issued the timestamp t. 
Furthermore, the number of unsuccessful attempts (since last successful attempt) to send any 
packet can never be greater than or equal to k (the channel retry number). 
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Invariant 10.5 

1. If t > last s then count sr (m,t) = 

2. count sr (m,t) < k — 1 

■ 

The following invariant is a key invariant and states properties of timestamps associated with 
messages and acknowledgements in the channels. 

Invariant 10.6 

1. If (m,t) G packets(sr) then t < last s 

2. If (to, last s ) & packets(sr) A mode s = send then m = current- ms g s 

3. last r < lasts 

4. If (t, true) G packets(rs) then t < last s 

5. If t G nack-buf r then t < lower y 

6. If (t, b) G packets(rs) then t < lower y 

■ 

Properties of the relationship between lower r and last s are stated in the following invariant. 

Invariant 10.7 

1. lower r < time s 

2. If lasts < time s then lower r < irae s 
■ 

The sender chooses increasing timestamps as indicated by the next invariant. 

Invariant 10.8 

1. If i precedes t' in used s then t < t' 



Due to the way the channels deal with the maximum channel delay d, the following invariant 
holds. 

Invariant 10.9 

1. If ((m,t),t r ) G sr then t' < now + d 
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To state the next invariant, we need a few definitions. Define the function mintime with the 
following signature 

mintime : P X (B(P X T)) — ► T 

in the following way 

. t . , ,, a \t if (p,t)e ch A V(p,t')e ch:(f > t) 
mintimeip, ch) = < _ , , . 

10 otherwise 

Thus, mintime(p, ch) gives the minimal send time associated with the packet p in ch (and 
defaults to if p ^ packets(ch)). Remember from the way we model the channels sr and rs that 
each element in the channels has two times associated with it: one is a timestamp chosen by 
the sender; the other represents the real time when the element was put into the channel and is 
called the send time of the packet. The function mintime returns send times. 

For any state s of Aq we define s. bound in the following way, where we use m and t as 
shorthands for s.current-msg s and s.last s , respectively. 

oo if s.mode s ^ send 

d + mintime((m, t), s.sr) if s.mode s = send A 

s. bound = < (m,t) £ packets(s.sr) 

s.last(CQ s ) + (k — 1 — s. count sr (m, t))l s + d if s.mode s = send A 

(m,t) £ packets(s.sr) 

Thus, s. bound represents an estimated time of arrival for the current packet. With this definition 
we can prove very important properties of the history variable deadline. 

Invariant 10.10 

f. bound < deadline 

2. now < bound 

3. now < deadline 

4. If deadline ^ oo then deadline < last s + e + kl s + d 

5. If deadline ^ oo then now < last s + e + kl s + d 

6. If deadline ^ oo then last s > lower r 

7. If deadline ^ oo then mode s = send A mode r ^ rec 



The receiver is allowed to clean up its state, i.e., to forget the timestamp of the last message 
accepted and move to idle mode, when a sufficiently long time has elapsed since the message 
was delivered to the user. This is because by then the receiver can be certain that the sender 
has received a positive acknowledgement packet for the current packet. In the specification of 
the receiver, a indicates how long time the receiver must wait before cleaning up. The following 
invariant captures the fact that a is properly defined. We do not prove the invariant but note 
that it can be proved in a fashion similar to the proof of Invariant 10.10. 
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Invariant 10.11 

1. If mode s = send A mode r ^ rec A time r > rm-time r + a then last s ^ last r 

The final two invariants are trivial and state that any timestamps occurring in the channels are 
positive. 

Invariant 10.12 

1. If (m,t) G packets(sr) then t > 

■ 

Invariant 10.13 

1. If (t,b) G packets(rs) then t > 



We refer to the conjunction of the invariants above by I ( 



C h. 



10.5.3 Safety 

We now define a function from states(A c ) to states(A G ). Below, in Lemma 10.15, this function 
is proved to be a timed refinement mapping from A c to A G with respect to I C h and I G . (Note, 
that the invariant I G of A G is clearly also an invariant of A G .) 

Below we use the notation (ti,t 2 ] to denote both the left-open interval from a to b and the 
set {t | ti < t < t 2 }. Similar notation is used for the other kinds of intervals. 

Definition 10.14 (Refinement Mapping from A c to A G ) 

If s G states(A G ) then define R GG (s) to be the state u G states(A G ) such that 



1. 


u.now 


= 


s.now 




u.mode s 


= 


s.mode s 




u.buf s 


= 


s.buf s 




u. cur rent- msg s 


= 


s. cur rent- msg s 




u. current- ack s 


= 


s. cur rent- ack s 




u.used s 


= 


s.used s 




u.mode r 


= 


s.mode r 




u.buf r 


= 


s.buf r 




u.nack-buf r 


= 


s.nack-buf r 


2. 


u. last s 


= 


(if s. last s = then n 




u.last r 


= 


(if s.last r = then r 


3. 


u.good s 


= 


{s.time s } \ {s. lasts} 


4. 


u.good r 


= 


(s.lower r , s. upper r ] 


5. 


u. issued r 


= 


(0,s. upper r ] 


6. 


u.current-ok 


= 


(s. deadline ^ oo) 
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7. u.sr = packets(s.sr) 

u.rs = packets(s.rs) 



Note how the values of most variables at the G level correspond directly to the value of the same 
variables at the C level as expressed by Part 1. Part 2 gives the trivial correspondence for the 
last s an d last r variables. Parts 3-5 contain the interesting aspects of the mapping: good s — the 
timestamps the sender can associate to messages — consists of the value of time s , but only if 
the clock has increased since the last timestamp was chosen; otherwise good s is empty; good r 
is, as expected, the left-open interval from lower r to upper r ; finally, the receiver has issued all 
timestamps up to and including upper r . The correspondence in Part 6 between current-ok at 
the G level and deadline at the C level is obvious. Finally, Part 7 states that each channel at 
the G level is obtained from the corresponding channel at the C level by removing the send time 
components of all elements. 

We now prove that Rcg is in fact a timed refinement mapping from A c to A G (with respect 
to I C h and I G ). 

Lemma 10.15 

A h c ' < tR A P G ' via R CG . 

Proof 

We prove that Rcg is a timed refinement mapping from A c to A G with respect to I C h and I G . 
We check the three conditions (which we call real time correspondence, base case, and inductive 
case, respectively) of Definition 5.18. 

Real Time Correspondence 

From the definition of Rcg we see that for all states s of C, RcG( s )- now = s.now as required. 
Base Case 



For the initial condition, let s be the start state of C. Then it is easy to check that Rcg( s ) is a 
start state of A G . 

Inductive Case 



Assume (s,a, s') G steps(A c ) such that s and s' satisfy I C h and Rn G (s) satisfies I G . Below 
we consider cases based on a (and sometimes subcases of each case) and for each (sub)case we 
define a finite execution fragment a of A G of the form (Rcg( s ), a \ u ", a '\ u "\ ■ ■ ■ , Rcg( s ')) with 
vis-trace(a) = vis-trace(a). For brevity we let u denote i? H c( s ) and u! denote Rn G (s'). 



Then (u,v,u') G steps(A G ): the only change in going from s to s' is that the now variable 
increases, thus, by definition of i?cG 5 the only difference between u and u' is that the now 
variable of A G increases and all such changes are allowed in A G . 
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a G {send _msg(m) , receive _msg(m), ack(b)} 

Then it is easy to see that (u,a,u r ) G steps(A G ). This step (and finite execution fragment) 
clearly has the right visible trace. 

a G {crash s , crash r } 

Then it is easy to see that (u,a,u') G steps(A G ). This step (and finite execution fragment) 
clearly has the right visible trace. 

The only thing to note here is the handling of deadline. The step of A c changes deadline to oo 
but this corresponds, according to the definition of i?cG 5 to changing current-ok to false in A G 
as required by the definition of the crash actions in A G . 

a = recover. 



Define u" 


.mode s 


u" 


.last s 


u" 


■bufs 


u" 


.current-msg 


u" 


.current-ackg 


u" 


.X 



We show that (u, recover s ,u" ', shrink _good s (s. time s ),u'), where u" is defined below, is a finite 
execution fragment of A G by showing that (u, recover s ,u") and (u" ', shrink _good s (s. time s ),u') 
are steps of A G . Clearly the execution fragment has the right visible trace. 

= idle 

= s.times 

- e 

= nil 

= false 

= u.x for the remaining state variables x 

First, consider (u, recover s , u") . From the definition of recover s in A c we have that s.mode s = 
rec which implies, by the definition of i?cG 5 that also u.mode s = rec. Thus, recover s is enabled 
in u. Then, by definition of u" and recover s in A G , clearly (u, recover s ,u") G steps(A G ). 

Next, consider (u" , shrink _good s (s. time s ),u'). The definition of shrink -good s in A G has no 
precondition, so shrink _good s {s. time s ) is enabled in u" . From the definitions of u" and Rcg we 
have that u" .good s = u.good s C {s.time s }. 

We must show that the differences between u" and u' are allowed by the definition of the 
shrink _good s { s. time s) steps in A G . This amounts, by the definition of shrink _good s {s. time s ) in 
A G , to showing that v! .good s = u" .good s \ {s.time s } and that all other state variables of A G 
have the same values in u" and u' . 

For good s we have that u'.good s = (since s'.time s = s'.last s ), but from above we have 
u" . good s — {s.time s }, so u'.good s = u" .good s \ {s.time s } as required. 

It is easy to check that the rest of the state variables of A G have the same values in u" and u' . 
7r = recover r 



We show that 

(u, shrink _good r ((s. lower y, s. upper r ]), u", grow _good r ((s. upper r , s.time r + /?]), u'", recover,., u'), 
where u" and u'" are defined below, is a finite execution fragment of A G by showing that 
(u, shrink _good r ((s. lower >, s. upper r ]), u"), (u", grow _good r ((s. upper r , s.time r + /?]), u'"), and 
(m'", recover r ,u r ) are steps of Aq . The execution fragment clearly has the right visible trace. 
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Define u" .good, = 

u".x = u.x for the remaining state variabies x 

First, consider (u, shrink _good,((s. lower ,,s. upper ,}),u"). From the precondition of the recover,. 
steps in A c and the definition of Rcg we have that u.mode r = s.mode r = zee. Then In- 
variant 8.6 Part 2 implies that u.current-ok = false, thus, shrink _good,((s. lower ,,s. upper ,]) is 
enabled in u. Since the definition of Rcg implies that u.good r = (s. lower,, s. upper,], it is easy 
to see that (u,shrink_good,((s. lower, ,s. upper,]), u") £ steps(A G ). 

Define u 1 " .is sued r = (0, s.time r + [3] 

u'".good r = (s. upper,, s.time, + [3] 

u'".x = u" .x for the remaining state variables x 

Next, consider (u" , grow_good,((s. upper,, s.time, + (3]), u'"). By definition of u" and Rcg we 
have that u" .issued , = u.issued r = (0, s. upper T \. So, (s. upper,, s.time, + [3] and u" .issued , do 
not intersect. Also, by adding (s. upper ,, s.time, + [3] to issued r we still have infinitely many 
unused timestamps left in T. Thus, grow _good,((s. upper ,, s.time, + /3]) is enabled in u" . Since 
u".good r = by definition, it is easy to see that the change in good r is as required by the 
definition of the grow_good r ((s. upper r ,s.time r + /3]) steps in A P G . To show that also issued r is 
handled correctly, we must show that u'" .issued r = u" .issued r U (s. upper r ,s.time r + /3], i.e., we 
must show that (0,s.time r + fi] = (0,s.upper r ] U (s. upper r ,s.time r + fi]. A sufficient condition 
for this to hold is that s.time r + (3 > s. upper r , but this is implied by the precondition of the 
recover, step in A c . To leave all other state variables unchanged is also as required by the 
definition of grow _good r ((s. upper r ,s.time r + /3]) in A P G . 

Finally, consider (V", recover,, u 1 ). We have u!" .mode, = u.mode, = s.mode, = rec, so recover, 
is enabled in u'" . We show that all state variables are handled according to the definition of 
recover, in A P G . The only interesting cases are issued, and good,. 

For issued, we have u 1 " .issued, = (0, s.time,-\-(i] by definition of u'" and furthermore u! .issued, = 
(0, s'. upper,] = (0,s.time, + fi] by definition of Rcg an d the recover, step in A c . Thus, 
u'" .issued, = u' .issued, and this is allowed by the definition of recover, in A G if \T\s'. issued, \ = 
oo which is clearly satisfied and if u! .issued, includes a) u!" .issued,, b) u'" ' .used s , and c) u'".good s . 
Case a) is clearly satisfied. For b) we have u'".used s = u.used s = (0, s.last s ]. Thus, we must show 
that s.last s < s.time, + (3, but this follows from s.last s < s.time s < s.time, + 2e < s.time, + (3, 
where the first inequality follows from Invariant 10.3 Part 1, the second inequality follows from 
Invariant 10.1 Part 5, and the third inequality follows from the definition of (3. For c) we have 
u'".good s = u.good s = {s.time s } \ {s.last s }. It suffices to show that s'.time s < s'. upper, (since 
s' .time s = s.time s and s' .upper, = s.time, + (3), but that follows from Invariant 10.2 Part 2. 
Thus, issued, is handled correctly. 

For good, we have u!" .good, = (s. upper,, s.time, + (3] and u! .good, = (s' '.lower,, s' '.upper, .] but 
since s'. lower, = s. upper, and s'. upper, = s.time, + (3, by definition of the recover, step in A c , 
we have that u'" .good, = u! .good, as required by the definition of recover, in A G . 

a G {send _pkt sr (m,t), send _pkt rs (t, true), send _pkt rs (t, false)} 

It is straightforward to show that (u,a,u r ) £ steps(A G ). This step (and finite execution frag- 
ment) clearly has the right visible trace. 

a = receive _pkt sr (m,t) 
We consider cases. 
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1. s.mode r ^ rec and s. lower r < t < s.upper r . 

We show that (u, receive _pkt sr (m, t), u", shrink _good r ((s. lower y, £]), u'), where u" is defined 
below, is a finite execution fragment of A G by showing that (u, receive _pkt sr (m, t), u") and 
(u", shrink _good r ((s. lower, t]), u') are steps of A G . Clearly the execution fragment has the 
right visible trace. 
Define u" .good r = u.good r \ \t' \ t' < u t} 

u" .x = u'.x for the remaining state variables x 

First, consider (u,receive_pkt sr (m,t),u"). By the case assumption and the definition of 
i?cc 5 we have u.mode r ^ rec and t G u.good r . Then, by definition of receive _pkt sr (m,t) in 
Aq and u" it is easy to see that (u, receive .pkt sr (m,t) , u") G steps(A G ). 
Then consider (u" ', shrink _good r ((s. lower r ,t]),u'). We show that shrink_good r ((s.lower r ,t]) 
is enabled in u" . Assume u" .current- ok = true (otherwise shrink_good r ((s.lower r ,t]) is 
trivially enabled). Then, by definition of receive _pkt sr (m,t) in A P G we have u".last s ^ t or 
u".mode s ^ send. By the precondition of shrink_good r ((s.lower r ,t]), we must show two 
conditions. 

1) First, since mode s ranges over {idle, send, rec} in A c , we have u.mode s (= u".mode s ) j^ 
needid. Thus, the first condition is satisfied. 

2) Second, assume u".mode s = send. We must show that u".last s ^ (s.lower r ,t]. From 
above we have u" .last s ^ t. Then since s' .last r = u.last r = u".last r = t, Invariant 10.6 
Part 3 implies t < u".last s . That suffices. 

Thus, shrink _good r ((s. lower r ,t]) is enabled in u" . 

We must show that all state variables of A P G are handled correctly. This is easy for all 

variables other than good r by explicit definition of u" . 

For good r we must show that u'.good r = u" .good r \ (s.lower r ,t]. Since s 1 .lower r = t and 

s 1 '.upper r = s.upper r , the definitions of R GG and u" imply u".good r = (s.lower r ,s'.upper r ]\ 

\t' | t' < u t} and u'.good r = (t,s' .upper r ). Thus, it suffices to show that if t' < u t, then 

t' < t, but that follows directly from Invariant 10.8 Part 1. That suffices. 

2. s.mode r = rec or -i(s.lower r < t < s. upper r ) 

We show that (u, receive _pkt sr (m,t),u r ) G steps(A G ). This step (and execution fragment) 
clearly has the right trace. 
We consider subcases. 

(a) mode r = rec. 

In this case the only difference between s and s' is that s' .sr is missing one element 
((to, t), t") compared to s.sr. Thus, the only difference between u and u' is, by definition 
of i?cG 5 that u! ' .sr is missing one packet (m,t) compared to u.sr. 

Since s.mode r = rec we have u.mode r = rec, so in this case it is easy to see that 
(u, receive _pkt sr (m,t),u r ) G steps(A G ). 

(b) mode r ^ rec, -i(s.lower r < t < s. upper r ), and last r < t < lower r . 

In this case the only difference between s and s' is that s 1 .nack-buf r = s.nack-buf r " t 
and s' .sr is missing one element ((m,t),t") compared to s.sr. Then the definition of 
Rcg implies that u! and u are the same except that u! .nack-buf ' T = u. nack-buf r " t and 
u' .sr is missing one packet (m,t) compared to u.sr. 

Now, the definition of Rcg implies that u.mode r ^ rec and t ^ u.good r , and since 
s.last r < t, u.last r 7^ t. Thus, by definition of receive _pkt sr (m,t) in A G , it is easy to 
see that (u, receive _pkt sr (m,t),u r ) G steps(A G ). 
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(c) mode r ^ rec, -i(s.lower r < t < s. upper r ), ->(last r < t < lower r ), mode r = idle, and 
last r = t. 

In this case the only difference between s and s' is that s' .mode r = ack and s' .sr is 
missing one element ((m,t),t") compared to s.sr. Then the definition of Rcg implies 
that vl and u are the same except that u.mode r = idle, s.mode r = ack and u! .sr is 
missing one packet (m,t) compared to s.sr. 

We have, by definition of Rcg that u.mode r = idle and t ^ u.good r . Furthermore, 
the case assumption and Invariant 10.12 imply that s.last r > 0, so, by the definition of 
i?CG 5 u.last r = s.last r = t. Then, by definition of receive jpkt sr (m,t) in A G , it is easy 



to see that (m, receive jpkt sr {m,t),vl) £ steps(A\ 



(d) mode r ^ rec, -i(s.lower r < t < s. upper r ), ->(last r < t < lower r ), and (mode r ^ idle 
or last r 7^ t). 

In this case the only difference between s and s' is that s' .sr is missing one element 
((to, t),t") compared to s.sr. Thus, the only difference between u and vl is, by definition 
of i?cG 5 that v! .sr is missing one packet (m,t) compared to v.sr. 

We must show that the definition of receive _pkt sr (m, t) in A G allows all state variables 
except sr to be unchanged. (The change to sr is as required by receive _pkt sr (m,t).) 
As in the previous case we have v.mode r ^ rec and t ^ v.good r . Thus, according to 
the definition of receive _pkt sr (m,t) for the receiver of A P G , the required changes to the 
state variables are not given by the first alternative in the embedded if-statement. 
Now assume t j^ s.last r (cf. the case assumption). Then also t j^ v.last r . Then, 
by definition of receive _pkt sr (m,t) in A P G , we see that in order for A G to allow 
vl .nack-bvf r = v.nack-bvf r it suffices to show that t j^ v.last s . By the case assumption 
and Invariant 10.2 Part 2, Invariant 10.3 Part 1, and Invariant 10.6 Part 1, t < s.last r . 
Thus, v.lastr = s.lastr > t. That suffices. 

Finally, assume that t = s.last r and mode r ^ idle. Then it is clearly the case that 
(v,receive_pkt sr (m,t),v r ) £ steps(A G ). 

a = receive _pkt rs (t,b) 

We show that (v, receive_pkt rs (t,b),v') £ steps(A G ). This step (and finite execution fragment) 
clearly has the right visible trace. 

Since (t,b) £ packets(s.rs), the definition of Rcg gives (t,b) £ v.rs. Thus, receive _pkt rs (t,b) is 
enabled in v. 

We consider cases based on the if-statement in the definition of receive _pkt sr (t,b) of the sender 
in A c . In both cases a ((t,b),t r ) element of s.rs gets removed and this corresponds, by the 
definition of i?cG 5 to removing a (t, b) element from v.rs, but this is as required by the definition 
of receive _pkt rs (t,b) in A G . Below we consider the remaining state variables of A G . 

Assume s.mode s ^ send or s.last s ^ t. Then the only difference between s and s' is the 
change in the channel rs as described above, so the only difference between vl and u is the 
corresponding change in sr (according to Rcg)- Now, the definition of Rcg implies that 
v.mode s ^ send or v.last s / ( so we see, from the definition of receive _pkt sr (t,b) in A G , 
that (v, receive_pkt rs (t,b),v') £ steps(A G ). 

Then, assume s.mode s = send and s.last s = t. From Invariant 10.13 we have t > 0, so the 
definition of Rcg implies that v.mode s = send and v.last s = t. Thus, the condition of the 
if-statement in A G is satisfied. It is now easy to see that the changes made by A c correspond 
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to allowed changes in A G . (Note that u.last s = u! ' .last s but this is allowed by the definition of 
receive _pkt rs (t,b) in A G ). 

a = chooseJd(t) 

We show that (u, prepare, u", grow_good s (t),u'"choose_id(t),u"" ,shrink_good s (t),u'), where u", 
u'", and u"" are defined below, is an execution fragment of A G by showing that (u, prepare, u"), 
(u" ,grow_good s (t),u" r ), (u"' ', choose Jd(t),u""), and (u"" ', shrink _good s (t),u r ) are steps of A G . 
Clearly the execution fragment has the right visible trace. 

Define u" .mode s = needid 

u".good s = 

u" .cur rent- msg s = head(u.buf s ) 

u" .buf s = tail(u.buf s ) 

u" .current- ok = (if u.rec r ^ rec then true else u.current-ok) 

u" .x = u.x for the remaining state variables x 

We first consider (u, prepare, u"). From the precondition of the chooseJd(t) steps in A c we have 
that s.mode s = idle and s.buf s ^ e. This implies, by the definition of i?cG 5 that u.mode s = 
idle and u.buf s = s.buf s ^ e. Thus, prepare is enabled in u (and furthermore the definition of 
u" is well-defined). Now, by definition of u", clearly (u, prepare, u") £ steps(A G ). 

Define u'".good s = {t} 

u'".x = u".x for the remaining state variables x 

Next, consider (u" ,grow_good s (t),u" r ). We have, from the definition of u" , that u" .mode s = 
needid, so from the definition of grow _good s (t) in A G we have to show three conditions in 
order to show that grow _good s (t) is enabled in u" . First, assume u" .mode r ^ rec. We must 
show t G u" .issued r . We have u" '.issued r = u.issued r = (0,s.upper r ] (by definition of u" and 
Rcg) an d t = s.time s > s.last s (from the precondition of chooseJd(t) in A c ), so we must 
show that s.time s < s.upper r but that follows from Invariant 10.2 Part 2. Second, assume 
u" .current- ok = true. We must show t £ u".good r , thus since u" .good = u.good r , we must 
show time s £ (s. lower r ,s. upper r ]. The lower bound follows from Invariant 10.7 Part 2 since the 
precondition of the chooseJd(t) step in A c implies that s.last s < s.time s . The upper bound 
is already shown in the treatment of the first part of the precondition above. Third, we must 
show that t ^ u".used s , thus we must show that s.time s ^ (0,s.last s ] but that follows from the 
precondition of the chooseJd(t) steps in A c . Thus, we have shown that grow _good s (t) is enabled 
in u". Now, by definition of u'" and since u".good s = 0, obviously (u" ,grow_good s (t),u'") £ 
steps(A G ). 

Define u"" .mode s = send 

u"". last s = t 

u"".used s = u!" .useds" t 

u"".x = u'".x for the remaining state variables x 

Next, consider (u'" , choose Jd(t),u""). By the definitions of u", u'", and Rcg we have that 
u'".mode s = needid and t £ u'" .good s (= {£}). Thus, chooseJd(t) is enabled in u'" . By 
definition of u"" and chooseJd(t), clearly (u'" , choose_id(t),u"") £ steps(A G ). 

Finally, consider (u"" ', shrink _good s (t) , u') . From the definition of shrink _good s (t) in A G we see 
that we must show that u"" and u! are the same except that ul ' .good s = u"" .good s \{t}. From the 
definition of Rcg an d the chooseJd(t) step of A c we have u'.good s = {s'.time s } \ {s'.last s } = 0. 
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Thus, since u"" .good s = u'" .good s = {t}, the condition on good s is satisfied. It is trivial to check 
that all other state variables of A G are handled correctly. 

a = increase-lower r (t) 



We show that (u, shrink _good r ((0, t]), u') £ steps(A G ). This step (and finite execution fragment) 
clearly has the right visible trace. 

From the precondition of increase-lower y(i) in A c we have s.mode r ^ rec and s. lower r < t < 
s.time r — p. 

We first show that shrink _good r ((0,t]) is enabled in u. If u. current- ok = false then this 
is obvious. So assume u. current- ok = true. We must check two conditions. First assume 
u.mode s = needid. Then we must show that (0,i] fl u.good s = which, by definition of i?cG 5 
amounts to showing (0,i] fl ({s.time s } \ {s.last s }) = 0. Thus, it suffices to show t < s.time s 
which, by definition of increase-lower r (t) in A c , is the same as showing s' .lower r < s'.time s , 
but this is implied by Invariant 10.3 Part I and Invariant 10.10 Part 6, where the latter in- 
variant applies since u. current- ok = true implies s. deadline ^ oo which again, by definition of 
increase-lower r (t), implies s. deadline ^ oo. For the second condition in the precondition we 
must show, under the assumption that u.mode s = send, that u.last s ^ t, which is implied by 
proving s'.last s ^ s' .lower r . Again, Invariant 10.10 Part 6 gives the result. 
Thus, shrink _good r ((0,t]) is enabled in u. 

To show that (u, shrink_good r ((0,t]),u r ) £ steps(A p G ) we must finally show that u'.good r = 
u.good r \ {t} and that all other state variables in A P G have the same values in u and u' . By defini- 
tion of Rcg an d increase-lower r (t) we have u.good r = (s. lower, s. upper r ] = (s.lower r ,s' .upper r ] 
and u'.good r = (t,s' .upper r ], so since t > s.lower r , by the precondition of increase-lower r (t), 
it is easy to see that the condition for good r is satisfied. Since the increase-lower r (t) step of 
A c only changes lower r and lower r is only used in the definition of Rcg to define good r , it is 
obvious that all state variables, but good r , of A G have the same values in u and u! . 

a = increase-upper r (t) 



We show that then (u, grow_good r ((s.upper r ,t]), u 1 ) £ steps(A G ). This step (and finite execution 
fragment) clearly has the right visible trace. 

Since, by definition of R G g , u.issued r = (0, s.upper r ], it is obvious that u.issued r P\(s.upper r ,t] = 
and that |T\ (u.issued r U (s. upper r ,t])\ = oo. Thus, a grow_good r ((s.upper r ,t]) step is enabled 
in u. 

Nowwe first show that v! .issued r = u.issued r \j(s. upper r ,t] and u'.good r = u.good r U(s.upper r ,t], 
as required by the definition of grow _good r ((s. upper r ,t]) in A G . For issued r we have u.issued r = 
(0,s.upper r ] and u' .issued r = (0, s'. upper r ] = (0,£]. Now, since t > s.upper r , by the precondition 
of increase-upper r (t), the condition for issued r is clearly satisfied. For good r we similarly have 
u.good s = (s.lower r ,s.upper r ] and u'.good r = (s' '.lower y,s' '.upper r ] = (s.lower r ,t]. Thus, the 
condition for good r is also satisfied. 

We must finally show that all other state variables in A G have the same values in u and u' , but 
this is obvious since the increase-upper r (t) step of A c only changes upper r , and upper r is only 
used in Rcg to define good r and issued r . 
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a = cleanup r 



We show that (u, cleanup r ,u') £ steps(A G ). This step (and finite execution fagment) clearly 
has the right visible trace. 

By the precondition of cleanup,, we have s.mode r £ {idle,ack} and s.time r > s.rm-time r + a. 
By the definition of Rcg an d Invariant 10.10, we have u.mode r £ {idle, ack} and u.mode s =>■ 
u. last s 7^ u.last r . Thus, cleanup r is enabled in u. 

It is now easy to see that the variable changes specified by the cleanup r step of A c correspond 
to the required variable changes of the cleanup r step of A P G . (The change of rm-time r in A c 
does not affect any of the variables of A G ). Thus, (u, cleanup r , u') £ steps(A G ). 

a = tick. 



We consider cases. 

1. s' .time s = s.time s 

In this case clearly s' = s and thus u' = u. Then the finite execution fragment u of A G 
has the right properties. 

2. s' .time s ^ s.time s 

We show that (u, shrink _good s (s. time s ), u" ', grow _good s (s' .time), u'), where u" is defined 
below, is a finite execution fragment of A G by showing that (u, shrink _good s (s. time s ), u") 
and (u" ', grow _good s (s' .time), u 1 ) are steps of A G . Clearly this execution fragment has the 
right visible trace. 
Define u" .good s = 

u" .x = u.x for the remaining state variables x 

First, consider (u, shrink _good s (s. time s ),u"). Note that trivially shrink _good s (s. time s ) is 
enabled in u. We check that all state variables of A G are handled correctly. By the 
definition of Rcg we have u.good s C {s.time s }. Then, since u".good s = 0, good s is handled 
correctly. By definition all other variables of A G have the same values in u and u", which 
is also as required by the definition of shrink _good s (s. time s ) in A G . 

Then, consider (u" , grow_good s (s' .time) , u' ') . By definition of Rcg (and the fact that mode s 
ranges over {idle, send, rec} in A c ), we have u.mode s ^ needid and consequently, by 
definition of u", u".mode s ^ needid. This shows that grow _good s (s' ' .time) is enabled in 
u". 

By Invariant 10.3 Part 1, s.last s < s.time s . The Case Assumption together with the 
precondition of the tick s steps of the clock subsystem implies that s' .time s > s.time s . 
Then since s'.last s = s.last s , we have s'.time s ^ s'.last s . This implies, by definition of 
Rcg that u'.good s = {s' .time s }. Thus, good s is handled as required by the definition of 
grow _good s (s' .time) in A G . It is easy to see that all the remaining variables of A G have the 
same values in u" and u! which is also as required by the definition of grow -good s (s' .time) 
in A G . That suffices. 

CI — ZtCrCf 



We show that v! = u. Then the finite execution fragment u clearly has the right properties. 

Now, clearly u' = u since the tick r step of A c only changes time r and ctime r , and these variables 
are not mentioned in the definition of Rcg- 
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This concludes the simulation proof. 



This simulation result allows us to prove that A c safely implements A P G , and, in turn, that A c 
safely implements G p . 

Lemma 10.16 

A h c ' Est A> G ' 

Proof 

Immediate by Lemmas 10.15 and 5.23. 



Theorem 10.17 

A c Est patient(A G ) 

Proof 

By Lemma 10.16 and Lemma 5.29 we get 

A' c Est patient(A' G ) 
which by substitutivity (Lemma 2.33) implies 

A' c \ Ac Est patient(A' G ) \ A c 
which, by definition of Ac and Ac, gives 

A'c \ Ac Est patient(A' G ) \ A G 
By Proposition 2.38 we then get 

A'c \ Ac Est patient(A' G \ A G ) 
which finally, by definition of A G and A G , gives the result 

A c Est patient(A G ) 



10.5.4 Correctness 

The liveness proof presented in this section is significantly simpler than the liveness proof in 
the proof of correctness of H. The reason is that the sender and receiver processes are very 
similar in C and G, and that the packets sent to the channels at the two levels are of the same 
type. Recall that at the H level, additional packet types (needid, accept, and done) made the 
liveness proof very complex. 

Actually, the only preliminary lemmas we need, express the fact that the timing requirements 
of the timed channels are sufficient to guarantee the liveness requirements specified for the 
untimed channels used at the G level. 



Lemma 10.18 

1. execf°(A c ) |= Vp : (DO (send _pkt sr (p)) =/- DO (receive _pkt sr (p))) 

2. ea;ec°°(Ac ) |= Vp : WF (receive _pkt sr (p)) 
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Proof 

We only sketch the proofs. 

1. Consider any packet p and assume a is an admissible execution of A c such that a \= 
n<0>(send-pkt sr (p)), thus, send _pkt sr (p) occurs infinitely often in a. For every k occurrences 
of send _pkt sr (p) at least one element of the form (p,t), where t is the send time for p, is 
placed in sr. By the maximum channel delay d, we have that not later than real time t-\-d 
a receive jpkt sr (p) action occurs. Then, since a is admissible, for every k occurrences of 
send _pkt sr (p) in a there is at least one occurrence of receive jpkt sr (p). Thus, since there 
are infinitely many occurrences of send jpkt sr (p) , there are infinitely many occurrences of 
receive jpkt sr (p), i.e, a \= DO (receive jpkt sr (p)) ■ That suffices. 

2. Consider any packet p and assume a is an admissible execution of A c such that for some 
suffix o?! of a, a i \= 0(p £ packets(sr)) (the enabling condition for receive jpkt sr (p) is 
(p £ packets(sr))) . Then, for any time t, a receive jpkt sr {p) action occurs not later than 
time t + d since all packets much have left the channel after at most the channel delay 
time d. Then, since a is admissible, infinitely many occurrences of receive jpkt sr {p) occur 
in o?!. Thus, a-y |= DO (receive jpkt sr (p)). That suffices by definition of WF. 



Lemma 10.19 

1. execf°(A\^ ) |= Vp : (DO (send _pkt rs (p)) =^ DO (receive jpkt rs (p))) 

2. exec 00 (A^ ) |= Vp : WF (receive _pkt rs (p)) 

Proof 

Similar to the proof of Lemma 10.18. 



We can now show the main part of the liveness proof, namely, if a is a live execution of C h and 
a' is an execution of G pl such that (a, a') £ -Rcg, then a' is live. As usual, we prove this result 
by contradiction. Thus, we assume that a' is not live and then derive a contradiction with the 
fact that a is live. 

Lemma 10.20 

Let a G exec ca (A 1 ^ ) and a 1 £ exec ca (A p G ) be arbitrary admissible executions of Aq and A P G , 
respectively, with (a, a') £ Rcg- Assume a \= Q c . Then a' \= Q G . 

Proof 

We prove the conjecture by contradiction. Thus, 

Assume: a' \£ Q G 
Prove: False 
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(1)1. a' \= -.W(C G , g/rl )V 

-iD(D(moc?e s = needid A mode r ^ rec) =>■ 0(C G)S / r2 )) V 

^WF(c G , s/r3 )v 

^WF(C GtS/r4 )V 

-iVp : (dC> (send _pkt sr (p)) =>■ DO (receive _pkt sr (p))) V 

-i\/p : WF (receive_pkt sr (p)) V 

-i\/p : (dC> (send _pkt rs (p)) =>■ 0<>(receive_pkt rs (p))) V 

-i\/p : WF (receive_pkt sr (p)) 

Proof: Immediate by the Assumption, the definition of Q G , and the Boolean operators. 

(1)2. Case: a' \= ^WF(C G , s/rl ) 

(2)1. a' \= Oa(mode s G {idle, send, rec}) A On-i(C G , s /ri) 

Proof: From Case Hypothesis (1) by noting that enabled(C GiS / r i) = (mode s G 
{idle, send, rec}) and by expanding WF. 

(2)2. a \= On(mo<ie s G {idle, send, rec}) A On-i(C G)S / r i \ {prepare}) 

Proof: From (2)1 by definition of R G g an( i by Lemmas 5.25 and 5.26. 

(2)3. a \= On(mo<ie s G {idle, send, rec}) A 
OD-.(C GiS/r i \ {prepare}} A 
Oa^ ({choose _id{t) \ t G T}) 

Proof: By (2)2 and the definition of A c . Consider a suffix o^ of a that satisfies 
o?! |= □-i(C G)S / r i \ {prepare}) . Then if mode s is send it will stay send unless a crash 
occurs, in which case mode s changes to rec. However, once in mode rec, the sender 
will stay there since no recover s occurs in o^. Now, chooseJd(t) actions can only 
occur if mode s = idle. However, then the sender never returns to mode idle again, 
as we have just seen. Thus, there is at most one occurrence of a chooseJd(t) action 
in o?!. This gives the result. 

(2)4. a \= Oa(mode s G {idle, send, rec}) A On-.(C c , s ) 

Proof: By (2)3 and the definition of C c , s - 
(2)5. a\=^WF(C c ,,) 

Proof: From (2)4 by using the definitions of WF and C Gs . 
(2)6. Q.E.D. 

Proof: (2)5 contradicts the assumption that a \= Q c . 
(1)3. Case: a' \= -^n(0(mode s = needid A mode T ^ rec) => 0(C G)S / r2 )) 
(2)1. a 1 \= On(mo<ie s = needid A mode r ^ rec) A On-i(C G)S / r2 ) 

Proof: Directly by Assumption (1). 
(2)2. a \= <>n(mode s £ {idle, send, rec}) 

Proof: By (2)1, the definition of Rcg, and Lemma 5.26. 

(2)3. Q.E.D. 

Proof: (2)2 contradicts the fact that always mode s G {idle, send, rec} at the C 
level. 
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(1)4. Case: a 1 |= ^WF(C GtS/r3 ) 

(2)1. a' \= On(mo<ie r = rec V (mode r = rcvd A buf r ^ e) V mode r = ack) A 
OD-.(C Gig/r3 ) 
Proof: By Assumption (1) and the definitions of WF and enabled(Cc t s/r3)- 
(2)2. a \= On(mo<ie r = rec V (mode r = rcvd A buf r ^ e) V mode r = ack) A 
OD-.(C Gig/r3 ) 

Proof: From (2)1 by definition of Rcg, the fact that CQ iS / r 3 contains external 
actions only, and Lemmas 5.25 and 5.26. 

(2)3. a\=^WP{C c ,n) 

Proof: By (2)2 using the definition of WF, the fact that C c ,ri = C GrS / r3 , and the 
definition of enabled(C c,ri) • 

(2)4. Q.E.D. 

Proof: (2)3 contradicts the assumption that a \= Q c . 

(1)5. Case: a 1 \= -^WF(C GtS/r4 ) 

(2)1. Q.E.D. 

Proof: Similar to Case (1)4 we get a \= ->WF(Cc,r2), which contradicts the as- 
sumption that a \= Qc- 

(1)6. Case: a' \= -Np : {U<> (send _pkt sr (p)) =>• DO (receive _pkt sr (p)}) 

(2)1. a' \= 3p : (0<}(send_pkt sr (p)) A < 0'O^(receive_pkt sr (p))) 

Proof: Directly from Assumption (1). 
(2)2. a \= 3p : (0<}(send_pkt sr (p)) A < 0'O^(receive_pkt sr (p))) 

Proof: By (2)2, Lemma 3.5 Parts 7 and 8, and Lemma 5.25. 
(2)3. a \= ~Np : (0<}(send_pkt sr (p)) =>■ DO (receive _pkt sr (p))) 

Proof: Directly from (2)2. 
(2)4. Q.E.D. 

Proof: (2)3 contradicts Lemma 10.18 Part 1. 
(1)7. Case: a' \= -Np : WF (receive _pkt sr (p)) 
(2)1. a 1 \= 3p : ^WF(receive_pkt sr (p)) 

Proof: Directly from Assumption (1). 
(2)2. a' \=3p : On(p G sr) A <>U^(receive_pkt sr (p)) 

Proof: By (2)1 and the definition of WF. 

(2)3. a \= 3p : On(p G packets(sr)) A < 0'O^(receive_pkt sr (p)) 

Proof: By (2)2, Lemma 3.5 Parts 7 and 8, the definition of Rcg, an( i Lemmas 5.25 
and 5.26. 

(2)4. a \= ~Np : WF (receive _pkt sr (p)) 

Proof: Directly from (2)3 and the definition of WF. 
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(2)5. Q.E.D. 

Proof: (2)4 contradicts Lemma 10.18 Part 2. 
(1)8. Case: a' \= -Np : (n<>(send_pkt rs (p)} =>• DO (receive _pkt rs {p))) 

Proof: Similar to (1)6 using Lemma 10.19 Part 1. 
(1)9. Case: a' \= -Np : WF{receive_pkt rs {p)) 

Proof: Similar to (1)7 using Lemma 10.19 Part 2. 
(1)10. Q.E.D. 

Proof: By (1)1 and the exhaustive cases (1)2— (1)9. 



With this result, the timed refinement mapping result of the previous section, and Lemma 5.24 
we can prove that C h correctly implements G pl . 

Lemma 10.21 
C h ' c Lt G"' 

Proof 

Immediate by Lemmas 10.15, 10.20, and 5.24. 



This lemma allows us to prove that H correctly implements patient(G). 

Theorem 10.22 

C C Lt patient(G) 

Proof 

By Lemma 10.21 and Lemma 5.30 we get 

C C Lt patient(G') 
which by substitutivity (Lemma 2.33) implies 

C \ A c Eu patient(G') \ A c 
which, by definition of Aq and Ac, gives 

C \ A c Eu patient(G') \ A G 
By Proposition 2.38 we then get 

C'\Ac Eu patient(G' \ A G ) 
which finally, by definition of C and G, gives the result 
C C Lt patient (G) 



Finally, we can state and prove the main result, namely that C correctly implements patient(S). 

Theorem 10.23 

C C Lt patient(S) 
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Proof 

By Theorems 7.18 and 8.19 and the fact that C L is transitive, we have G C L S. Then the 
Embedding Theorem (Theorem 2.37) implies patient(G) C Lt patient(S). This, Theorem 10.22, 
and the fact that C Lt is transitive finally give the result. 



10.6 A "Weak" Clock-Based Protocol 

In the previous section we have considered the Clock-Based Protocol C and shown that it 
correctly implements the patient version of the specification S. In the specification of C we have 
made some timing assumptions. Specifically, we have assumed a certain channel retry number 
k and a maximum channel delay d. Now, what if these assumptions are somehow violated in a 
physical implementation of the C protocol? What if a communication wire is damaged during 
some construction work and rerouting leads to a transmission delay greater than d for some 
packet pi Could the C protocol then suddenly reorder or duplicate messages? The answer is 
"no". C is in [LSW91] designed to guarantee ordered at-most-once delivery even if all the timing 
assumptions are violated. However, in case of timing violation the system might lose messages 
even if no crashes occur, but message loss is generally considered less damaging than duplication. 

We suspect that this scenario is general for timing-based communication protocols: without 
timing assumptions the protocols satisfy some minimal requirements (like at-most-once message 
delivery), and with timing assumptions the protocols satisfy additional properties (like exactly - 
once message delivery in the absence of crashes). 

Our proofs above do not indicate that C guarantees at-most-once delivery even if the timing 
assumptions are violated. A formal proof of this property would show that a "weak" version of 
C with no timing assumptions safely implements a "weak" version of S that allows messages to 
be lost at any time. Note, that the reason why we only need to prove safe implementation as 
opposed to correct implementation is that "at-most-once message delivery" is a safety property. 

In order not to have to redo many of the proofs above when performing the proof between 
the weak versions of the protocols, we think that the proofs should be structured as follows: 
first prove that the weak version of C safely implements the weak version of S. Then add the 
additional assumptions, prove additional invariants, and extend the first proof to prove correct 
implement ation . 

In a temporal logic setting, like TLA [Lam91], "additional assumptions" are added as new 
conjuncts to the specifications. Proof of safe implementation, which is expressed as implication 
in the logic, should then use the new conjuncts of the specification to prove the new conjuncts 
of the implementation. Exactly how this should be performed in our setting is left for future 
research. 

10.7 The Clock-Based Protocol With One Receiver and Multi- 
ple Senders 

Consider the situation depicted in Figure 10.2. The picture shows a situation where several 
receivers — each interacting with a single sender — are placed on the same node. Thus, n copies 
of the sender, receiver, and channels from above are put in parallel. Instead of implementing n 
identical copies of the receiver on the receiver node, a single optimized process can be designed 
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Figure 10.2 

The Clock-Based Protocol with several receivers on the same node. 



that implements the parallel composition of the receivers. Then, due to the substitutivity results 
for live timed I/O automata (Proposition 2.33), such a multiple- sender receiver senders (called 
the ms-receiver) will work in concert with the n senders. Below, we let ss-receiver denote the 
single-sender receiver from above. 

In [LSW91], the receiver of the Clock-Based Protocol is in fact designed to handle multiple 
senders. This receiver has a structure very similar to the ss-receiver. However, it is optimized so 
that only one single upper r variable is needed. This is important since upper r variables must be 
kept stable and stable updates are expensive. Furthermore, "old" lower r variables, i.e., lower r 
variables for senders that have not sent messages for a long time, can be cleaned up such that 
sufficient information about these old variables can be kept in a single common lower y variable. 

This section discribes the design of the ms-receiver of [LSW91] and sketches the proof that it 
implements the parallel composition of n ss-receiver. It turns out that because of the similarities 
between the ms-receiver and the ss-receiver, the proof is very simple. 

Figure 10.3 shows the visible actions of the ms-receiver. There are n versions of the channel 
actions, receive message actions, and recovery actions but only one of both crash r and tick r . 
This user interface is then the same as one would get by composing n copies of the ss-receiver in 
parallel after indexing ah locally-controlled actions with the index of the ss-receiver. It may seem 
strange to have a recovery action for each index; however, since the ms-receiver should implement 
and, thus, have the same user interface as the parallel composition of n (renamed) ss-receivers, 
and since live timed I/O automata cannot synchronize on output actions (like recovery), it is 
inevitable that the ms-receiver has n recovery actions. One should, thus, think of the ms-receiver 
as offering recovery of its n parts, one by one. 

Let C mS)r be a live timed I/O automaton modeling the ms-receiver. It should, then, be 
proved that 



C v C I 

^ms.r _Lt ^r.l 



V_j r 



where C r 



Pi(C r ) and the function pi maps each locally-controlled action of C r to an indexed 
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Figure 10.3 

The visible actions of the ms-receiver. 



version of the same action, and is the identity mapping for the remaining actions. For instance, 
Pi maps receive _pkt sr (p) to receive _pkt sr 8 (p). (Actually, the processes C ri i, . . ., C r<n are not 
compatible in the strong sense where the ordinary state variable names of different processes 
are required to be non-overlapping. So, for present purposes, assume that all state variables of 
C r< i (except now) are indexed with i.) 

We do not define C mS)r completely formally but sketch how it works. First, recall that in C r , 
lower r indicates a lower bound on timestamps that the receiver will accept. Every time a new 
message is accepted, lower y is advanced to the timestamp of that message. Furthermore, special 
increase-lower,, steps are in C r allowed to increase lower y as long as it is kept small enough to 
allow very slow messages from the sender to be accepted. 

C mS)r contains n versions (/ower rl , . . ., lower rn ) of lower r — one for each sender — and each 
variable lower ri remembers the last timestamp received from the ith sender in order to ensure 
that only messages with later timestamps will be accepted from that sender in the future. 
In C mS)r , lower ri is only advanced when packets are accepted from the ith sender, i.e., in 
receive _pkt sr 8 (p) steps. 

Now, C mS)r furthermore contains a common-lower r variable. This variable is increased in 
special increase-common-lower r steps, and whenever it advances past the value of a lower ri 
variable, this lower ri variable is changed to nil, i.e., is cleaned up. Thus, common-lower r 
captures all relevant information about the timestamps that must be accepted from senders 
that have not sent for a while, as long as common-lower r is kept sufficiently small. 

Also, C mS)r only needs a single upper r variable, which gives the upper bound on timestamps 
that can be accepted from any sender. 

Figure 10.4 shows how an increase-common-lower r step changes a lower ri variable to nil. In 
situation a), C mS)r will accept timestamps in the interval (common-lower r , upper r ] from sender 
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Figure 10.4 

The difference between situation a) and b) is that an increase-common-lower r step of C ms ,r 
has advanced common-lower y and thereby has cieaned up lower y,3 (by changing it to nil). 



2 and timestamps in the interval (lower ri , upper r ] from sender i £ {1,3}. In situation b), 
lower ry i has been cleaned up and C mS)r will consequently now only accept timestamps in the 
interval ( common-lower,., upper r ] from sender 1. However, this is safe since common-lower y is 
kept sufficiently small (in the same way the lower r variable is kept sufficiently small in C r ). 

All other variables of C r , except time r , have n versions in C mS)r . For instance, C mS)r has the n 
buffers buf r 1 , . . . , buf rn . However, of course, only one local receiver clock time r is needed. 

We only specify the most interesting steps of C mS)r . These are the steps labeled with 
receive _pkt sr 8 (m,i) or increase-common-lower r (t) actions. 

receive_pkt sr % (m, t) 
Effect: 

if mode r ,i ^ rec then 

if (lower r ,i ^ nil A lower r<l < t < upper r ) V 

(lower Tl i = nil A common-lower r < t < upper r ) then 
mode r ,i '■= rcvd 
buf rl := buf rl " m 

rm-time r ,i '■= 00 

lower r<l := t 
eise if (lower y i8 ^ nil A last r ,i < t < lower r<l ) V 

(lower r<l = nil A last r ,i < t < common-lower y) then 

nack-buj r % := nack-buj r % " t 
eise if mode r ,i = idle A last r ,i = t then 

mode r ,i '■= ack 

increase- common-lower r (t) 
Precondition: 

Vi : (mode rit ^ rec) A 
common-lower y < i < time r — p 
Effect: 

common-lower r := t 

for aii i with lower y i8 7^ nil: 

if common-lower r > lower r<l then 
lower r<l := nil 

Note, that the timing constant p, which occurs in the definition of increase-common-lower r 
steps, is the same constant as for the ss-receiver above. 
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Steps labeled by crash r should in C mS)r change all mode ri variables to rec. 

It requires a timed refinement mapping to verify that C mS)r correctly implements C ri i|| • • • ||C ri „. 
This refinement mapping R ms maps most variables one-to-one. Let s be any state of C mS)r . 
Then R ms (s) is the state u that for all i satisfies 

• u.upper ri = s. upper r . 

• u.time ri = s.time r . 

• u.lower ri = (if s.lower ri ^ nil then s.lower ri else s. common-lower >). 

• u.x = s.x for the remaining variables x. 

It is fairly straightforward to verify that R ms actually is a timed refinement mapping. The way 
lower ri is defined in the mapping implies that a receive _pkt sr 8 (m,i) step of C mS)r directly corre- 
sponds to a receive jpkt sr 8 (m,i) step of C ri i|| • • • ||C ri „. In fact, there is the same one-to-one cor- 
respondence for all other actions, except for increase-common-lower r (t) and increase-upper r (t). 

A increase-common-lower r (t) step of C mS)r may change several lower ri variables to nil. 
This corresponds at the abstract level to these lower ri variables being advanced. Thus, an 
increase-common-lower r (t) step of C mS)r corresponds to a series of increase-lower ri (t) — one for 
each process identifier i for which lower ri = nil in C mS)r after the increase-common-lower r (t) 
step. 

An increase-upper r (t) step simply corresponds a sequence of steps labeled increase-upper,. 1 (i), 
. . . , increase-upper r n (t). 

We do not complete the modeling of C mS)r in this report but leave this and the complete simu- 
lation and liveness proofs for future work. 



Chapter 11 

Conclusion 

11.1 Summary 

This report contains two parts. Part I describes the formal models of [GSSL93] for timed and 
untimed systems, and the associated simulation-based proof techniques. Also, an extended tem- 
poral logic is developed, in which temporal formulas evaluate over executions of alternating states 
and actions and, thus, are well-suited for describing and reasoning about liveness conditions — in 
the timed setting via sampling characterizations of timed executions. It is furthermore shown 
how application of the semantic operators of parallel composition, action hiding, and action 
renaming is reflected in the syntax. 

The proof techniques are used to prove that one system correctly implements a more abstract 
system. A proof generally consists of three parts. First, several invariants of the systems are 
proved. Then, secondly, a relation is defined and proved to be a simulation relation from the 
concrete to the abstract system. During this process, one generally has to go back and prove 
additional invariants. Finally, a liveness proof builds on top of the simulation result. 

Part II presents a case study intended to check the adequacy of the formal framework on 
large examples. In particular, two practical protocols for solving the at-most-once message 
delivery problem on channels that may delete, duplicate, and reorder packets are considered. 
One protocol is the Five-Packet Handshake Protocol of [Bel76], which is the standard protocol for 
setting up network connections, used in TCP, ISO TP-4, and many other transport protocols. 
The other protocol is the Clock-Based Protocol of [LSW91], which relies on certain timing 
assumptions. Both protocols are sufficiently complicated that it seems that formal proof is the 
only means by which their correctness can be verified. 

Both the specification S of the at-most-once message delivery problem and the Five-Packet 
Handshake Protocol, which we call H, are formalized as live I/O automata, however at very 
different levels of abstraction. The specification S corresponds closely the the informal descrip- 
tion of the at-most-once message delivery problem, and is easily checked to have the desirable 
behavior. H is expressed as the parallel composition of several components. 

The Clock-Based Protocol, which we call C, is formalized as a live timed I/O automaton. A 
special MMT-specification style is used to specify the sender and receiver in a clear way since 
the timing restrictions on these components are of the simple form: if a set of actions becomes 
enabled (or stays enabled after being executed), then an action from the set must be executed 
after some lower time bound and before some upper time bound, unless the set is disabled in the 
meantime. C is formalized in the timed model and S in the untimed model. It is argued that 
in this case correctness of C should be expressed with respect to the patient version of S, i.e., 
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the object of the timed model that behaves just like S, except that it allows arbitrary passage 
of time. 

Instead of proving directly that H and C correctly implement S and patient(S), respectively, the 
correctness proof is split into smaller parts by introducing intermediate levels of abstraction. In 
particular, both H and C can be seen as implementations of an (untimed) Generic Protocol G. 
By introducing intermediate levels of abstraction, not only do we get the advantage of splitting 
complicated proofs into smaller parts, we also avoid that proofs of similar parts will have to be 
repeated in the correctness proofs for both H and C; instead these similar parts are captured 
in G and in the proof that G correctly implements S. In fact, we believe that G is sufficiently 
general so that other practical protocols can be proved to be correct implementations of G. 

A direct proof that G correctly implements S is still very complicated since it involves a 
backward simulation, and backward simulations seem to be inherently difficult. Thus, to limit 
the backward simulation to a development step as small as possible, the Delayed-Decision Spec- 
ification D was defined. In this way the correctness proof for D requires a backward simulation, 
whereas the correctness proofs for lower levels of abstraction only require the use of the simpler 
(timed) refinements (plus the use of history variables). 

The report contains full proof of correctness for the protocols. However, some of the proofs 
are only sketched, when similar formal proofs are found elsewhere in the report. 

11.2 Evaluation 

The operational models of live (timed) I/O automata, the syntax for describing these, and the 
proof techniques have proved to provide a powerful formal framework within which both untimed 
and timed distributed systems can be formalized and proved correct. The abstract specification 
is close to the informal problem statement and the formalism offers a clear, intuitive, and modular 
approach to the description of the low-level protocols. In particular, for timed systems, where 
the only timing restrictions are lower and upper time bounds on progress, the MMT-style offers 
a clear notation. 

It should be noted, however, that the example presented in this report only proves correctness 
of a timed protocol with respect to the patient version of an (untimed) specification. This means 
that the timing assumptions of the timed protocol are only used to prove certain invariants, 
whereas the handling of time the simulation proofs is almost trivial. [LA91] deals with timed 
simulation proofs (with non-patient specifications) for MMT-style systems. 

Some aspects of performing the correctness proofs are intellectually challenging. In particular, 
defining simulation relations involves a lot of insight and intuition about the systems, and also 
finding the sequence of abstract steps that corresponds to a given concrete step requires key 
intuition. In fact these two aspects of the proofs provide important documentation of the 
functionality of systems and can be used to convey intuition about these. 

However, in a simulation proof one must prove that the sequence of abstract steps has the 
right properties. This involves checking that the steps are in fact steps of the abstract system, 
which, in turn, amounts to checking that each variable is handled according to the abstract 
transition relation. This part of the proof involves a lot of tedious details, and forms a quite 
sizable part of the total proof. Because of the details, the proof is very difficult to maintain; 
sometimes, during a proof attempt, one has to go back and change either the abstract or the 
concrete specification, which may lead to a need to change part of the proof already done. 
Unless extreme care is taken, such changes are likely to introduce inconsistencies in the proof. 
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Apart from this, simulation proof techniques scale well to large examples and impose a nice case 
structure on the proof. 

Liveness proofs are also challenging. They, too, require insight into the way the protocols 
work. The temporal logic offers an expressive way formalize liveness conditions and an ad hoc set 
of rules. Our liveness proofs are not proofs of validity of temporal formulas, but instead proofs 
of satisfaction, i.e., that certain executions satisfy the temporal formulas. In the proof steps 
temporal rules, which have the form of valid implications, meta rules, and semantic reasoning 
are used. This seems to provide a straightforward way of performing careful liveness proofs by 
hand. 

Live (timed) I/O automata, temporal logic, and simulation-based proof techniques are good 
tools for formally specifying and verifying timed and untimed communication protocols. 

The embedding results of the model tie the untimed and timed models together in a very 
general and useful coordinated framework that allows proving that a timed system correctly 
implements an untimed specification. 

11.3 Further Work 

There is a considerable amount of further work remaining. We have already begun the work of 
automating simulation proofs in the untimed model, by proving the equivalence of versions of 
S and D using the Larch Prover [SGG + 93, GG91]. We have been pleased with the preliminary 
results: the prover has not only been able to check our hand proofs, but in fact has been able to 
fill in many of the details. Current research tries to use the same approach on a timed forward 
simulation. Future research should consider automation of more complicated simulation proofs. 

Second, if the timing assumptions on C are weakened or removed, the resulting algorithm 
still will not deliver any message more than once; however, it may lose messages even in the 
absence of a crash. It remains to formulate the weaker specification and prove that the weaker 
version of C satisfies it. 

Third, there are other algorithms that solve the at-most-once message delivery problem, for 
example, using bounded identifier spaces or cryptographic assumptions. We would like also to 
verify these, preferably reusing as much of our proofs as possible. 

Finally, future research should deal with the extended temporal logic developed in this work, 
and try to find a basic set of rules that is adequate for the liveness proofs of typical distributed 
systems. The rules presented in this report, which are specifically tailored for the case study, 
seem to be a good starting point for such an investigation. 

11.4 Conclusions 

We can draw several conclusions: 

• Live (timed) I/O automata, temporal logic, and simulation-based proof techniques provide 
a powerful coordinated framework for formally specifying and verifying timed and untimed 
communication protocols. 

• The proof techniques, especially simulation proofs, scale well and are not too difficult 
to use. It is challenging and requires insight and key intuition to find, e.g., the right 
simulation relations, and a lot of detailed work to verify these choices. For large proofs, 
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computer assistance is essential to help with the details; however, the insight will always 
be required. 

• Backward simulation proofs are much harder to do than refinement mapping and forward 
simulation proofs but are necessary in certain situations. It seems to be worthwhile to try 
to limit the use of backward simulations to as small a development step as possible. 

• Many practical protocols can be treated as implementations of a common abstract protocol. 

• Verifying a coordinated collection of protocols, rather than just a single isolated protocol, 
is extremely valuable. It leads to the discovery of useful abstractions, and tends to make 
the proofs more elegant. 

• Doing proofs for realistic communication protocols is feasible now. We predict that it will 
become more so, and will be of considerable practical importance. 
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Appendix A 

Basic Definitions 

This appendix gives basic definitions used in this report. 

A.l Record Notation 

If a variable or value is of tuple type, e.g., X X Y X Z, we will use the normal record notation to 
extract the sub-values. For example if d has type X xY X Z, d.x will extract the first component 
of the tuple, etc. 

A. 2 Sets 

We use standard notation for sets. A set consisting of the elements e l7 e 2 , . . . we write as 

{ei,e 2 ,...} 
and a notation like 

{/(i) | i G N A </(i) = 4} 

is used to denote the set of all elements f(i), where i is a natural number such that g(i) = 4. 

A singleton set with the element e is sometimes written e instead of {e}. As usual we use 
6 to express set membership, and C and C to express the proper subset and subset relations, 
respectively. The empty set is denoted by 0. Furthermore we use the normal operators on sets 

U Union 

fl Intersection 

Complement (with respect to some given set) 
\ Set minus 

Set Type 

For any set S , denote by V(S) the set of all (finite or infinite) subsets of S. 

Cardinality 

The cardinality of a set S , written 15*1, is defined as 

ll A J n if S has n elements 

1 oo if S has infinitely many elements 
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A. 3 Bags (Multisets) 

For bags we use the following operators from the previous section: 

|s|,n,u,e 

|s| counts the total number of elements (including duplicates) of s. 

Bag Type 

For any set S , denote by B{S) the set of all (finite or infinite) bags with elements from S. 

A. 4 Lists and Sequences 

In this report we use the terms "sequence", "list", and "queues" synonymously. 

A list / consisting of the elements e l7 e 2 , . . . we will write in one of the ways 

/ = (e ,ei,...) 
/ = e ,e 1 ,... 
I = e e 1 . . . 

We denote by e the empty list. 

List Type 

For any set S , denote by S* the set of all finite lists of elements in S. 

Length 

The length of a list / = (e , e l7 . . .), written |/|, is defined as 

.. a \ n if / is finite and ends in e n -\ 
1 oo if / is infinite 

Head, Tail, Last, and Init 

If / = (e , e l7 e 2 , . . .) is nonempty, define 

head(l) = e 

tail(l) = (ei,e 2 ,...) 

If furthermore / is finite and ends in e„_i, then define 

last(l) = e n _i 

init(l) = (e ,ei,...,e„_ 2 ) 

Concatenation 

Concatenation of two lists ^ and / 2 , written ^ " l 2 or sometimes lj 2 , is defined when ^ is finite. 
If h = (e ,. . .,e„_i) and l 2 = (e n ,e n+1 ,. . .), then define 

'l h = \ e 0? • • • i e n-l? e n? e n + l? • • •) 
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List Construction 

Let I = {ii,i 2 , . . .} be a set of totally ordered elements with ii < i 2 < ■ ■ ■■ Then define 

(f(i) \ielA P(i)) = e tl " e,- a " • • • 
where / is a function, P is a predicate, and 

8f " I £ otherwise 

Indexing 

If / = (e , e l7 . . .), then define for all i with < i < \l\ 

l[i] = e* 
We let dom(l) denote the set of indices of any list /. Thus, 

dom(l) = {i | < i < \l\} 
We also let elems(l) be the set of elements in /. Thus, 

elems(l) = {l[i] \ i £ dom(l)} 
If / is nonempty, we denote by maxidx(l) the maximum index in /. Thus, 

maxidx(l) = \l\ — 1 

Restriction 

If / is a fist and S is a set, we let / \ S denote the restriction of / to S . For example, (1, 3, 2, 5, 4) \ 
{2,3,4,7}= (3,2,4). Formally, 

I \ S = (l[i\ | i e dom(l) a l[i] e S) 

Set Operations on Lists 

As notational convention we allow set operators like £, C, etc., to operate on lists /. This should 
just be thought of as a shorthand notation for the same operators operating on elems(l). For 
instance, e £ / means e £ elems(l) and / C S means elems(l) C S for some set S . 

A. 5 Functions and Mappings 

We use the terms "function" and "mapping" synonymously. We use standard notation for 
function definition and application. When explicitly defining the mapping from elements to 
elements we use notation like 

[1^1, 
2^4, 
3^ 9, 

9^ 81 ] 
or equivalently 

[i ^ i 2 | 1 < i < 9] 
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Function Type 

A function / mapping elements from Si to S 2 has the type 

b\ — > J'2 

We shall only deal with total functions, i.e., f(s) is defined for all elements s G Si. Si is referred 
to as the domain of / and S 2 as the codomain of /. 

Domain and Range 

For any function /, dom(f) denotes the domain of /. The range (or image) of / is defined as 
rng(f) = {/(e) | e G dom(f)} 

Operations on Functions 

For function / : A — ► B and g : C —^ D with B C C, define the composition f o g : A — ► D such 
that for ah a G A, 

(fog)(a) = f(g(a)) 

For any function / : A — ► B and set S , denote by / \ S the function with type (A \ S) — ► B such 
that for all a 6 A \ 5, 

(/\5)(a) = /(a) 

Similarly / \ S denotes the function of type (A P\ S) ^ B such that for all a G A n 5 

(/ t 5)(a) = /(a) 

For functions /, : A, -^ Bi, 1 < i < k, with disjoint domains, denote by fi U • • • U fj. the function 
of type (Ai U • • • U A k ) -+ (Bi U • • • U B k ) such that for all a G (Ai U • • • U A fc ) 

(/iU---U/ Jfe )(a) = /,-(a) if aG A,- 



Appendix B 

Proofs from Part I 

B.l Proofs in Chapter 3 

Proof of Lemma 3.1: 

Let a be an arbitrary execution over (V,A). 

If a is infinite, then a = a and the result trivially follows. 

Now, assume a is finite and let a = s ais 1 a 2 s 2 • • -a n s n . Furthermore, let j > an arbitrary 
natural number. Let a, = ( and s, = s n for all i > n. Then a = s ais 1 a 2 s 2 • • •. We prove the 
lemma by structural induction over P. 

Base Case: P is a step formula 

MN-P 

iff (by definition) 

(0 < J < n and (sj, a J+1 , s J+1 ) |= P) or 

(j > n and (s n ,(,s n ) \= P) 
iff (by definition of s, and a, for i > n) 

< j and (s i ,a i+1 ,s i+1 ) |= P 
iff (by definition) 

Inductive Step: 

Assume as induction hypothesis that Q is a temporal formula over (Vq,Aq) such that for all 
a Q over (Vq,A q ) and all j Q < 

(«Q 5 iQ)N<5 iff (oqJq)\=Q 

Assume a similar induction hypothesis for R. We consider the different possibilities for P (cf. 
Section 3.5). 

• p = OQ 
(<*,j)\=OQ 

iff (by definition) 
(a,j+l)\=Q 
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iff (by the induction hypothesis) 

(a,j + l)\=Q 
iff (by definition) 

• P =QW R 

Similar to case P = Q> Q. 

• P = Vx:Q 

Since P is a temporal formula over (V,A), Q is a temporal formula over (V U {x},A). 

(a,j) \= Mx : Q 
iff (by definition) 

for all values v, (a*,j) \= Q 
iff (by the induction hypothesis) 

for all values v, (ot%,j) \= Q 
iff (by definition of ^ and a x v ) 

for all values v, (a*,j) \= Q 
iff (by definition) 

(a,j) \= Mx : Q 

• P = 3x :Q 

Similar to case P = \/x : Q. 

• P = Q =»► R 

Similar to case P = Q> Q. 

• P = ^Q 

Similar to case P = Q> Q. 

■ 

Proof of Lemma 3.2: 

This lemma holds for our temporal logic since we do not have any past operators, i.e., operators 
that can reference previous positions in an executions. For instance, some temporal logics (see, 
e.g., [MP92]) have a previous operator, which is dual to our next operator an( i i s defined 
such that previous P holds at position j in an execution if P holds at position j — 1 in that 
execution. Since our logic lacks this possibility of referencing previous positions, the question 
whether P holds at position j in a only depends on the suffix SjCij + iSj + i ■ ■ ■ of a, i.e., j\a. 
Similarly, the question whether P holds at position i in j-i\a only depends on ^ |(j_i|a), and 
since j|(j_j|o!) = j\a, the result follows. 

Formally, the result can be proven by structural induction over P. 
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Proof of Lemma 3.3: 

Let a = s ais 1 a 2 s 2 • • • and a' = s' a[s' 1 a' 2 s' 2 ■ ■ ■. We define inductively a nondecreasing mapping 
m : N — ► N such that k \a ~ m(k)\ a ' ■ Furthermore, for each k we define a mapping m k : 
{0, . . ., m(k) — 1} —^ {0, . . .,k — f}, such that for all < i' < m(k), mk (i')\ot ~ i'\ot'. This 
inductive definition is clearly sufficient to prove the lemma. 

Base Case: k = 

Define ra(0) = 0. Then, by assumption, \a = a ~ a' = m (o)|a', as required. 

Let m be the empty mapping. Then, vacuously, for all < i' < m(0), mo(i')\ a — i'W 

Inductive Step: 

Assume as induction hypothesis that k \a ~ m (k)\ a ' an( i that, for all < i' < m(k), mk (i')\ot ~ i*\a' ■ 
We consider cases. 

• a k+1 = (. 

Define m(k + 1) = m(k). Then, clearly, k+1 \a ~ k \a ~ m {k)W = m (k+i)W ■ 

Define m k+ i = m k . By the induction hypothesis and the definition of m(k + I) and m k+ i, 
for all < i' < m(k + I), m(c+1 (i')|a ~ i>\a' . 

• a k+1 = a ^ (. 

Then, since k \a ~ m ( k )\ a ' (induction hypothesis), there must be a unique number k' > m(k) 
such that s' m{k) a' m{1e)+1 s' m{1e)+1 ■ ■■a l k ,s l k , = s' m(k) (s' m(k) ■ --as'^. Thus, the first non-stuttering 
action in a' after position m(k) must be a. 

Define m(k + I) = k' . Then the induction hypothesis, the definition of k' , and the case 
assumption imply k+1 \a ~ k \a ~ m {k)W = m (k+i)W ■ 

Define m k+ i to coincide with m k for all < i' < m(k), and define m k+ i(i r ) = k, for 
all m(k) < i' < m(k + I). Then the induction hypothesis and the definition of m k+ i 
give, for all < i' < m(k), m h+1 (i')\ a — i>\ot' . For m(k) < i' < m(k + I) we have, 
m h+1 (i')\ a = k\ a — m{k)\ a ' — i'W i where the last stuttering-equivalence follows from the 
fact that ii\a! only differs from m ( k )\a' by having less stuttering in the start. 

This concludes the proof. 



Proof of Proposition 3.4: 

Let o?! = Si,o a i,i s i,i a i,2 s i,2 ■ ■ ■ an( i a 2 = s 2,o a 2,i s 2,i a 2,2 s 2,2 • • • be arbitrary executions such that 
o?! ~ a 2 . 

1. Let P be a state predicate, 
iff (by definition) 



244 B. Proofs from Part I 



iff (since a x — a 2 implies s 10 = s 20 ) 

iff (by definition) 

a 2 ^P 

This proves that P is stuttering-insensitive. 

2. Let P be a state transition predicate, and assume that (s,£, s) |= P (which implies 
(s,s)[P] = true) for all state s. 

<*i\=P 
iff (by definition) 

(si,o,Si,i)[-P] = true 
implies (since a x ~ a 2 implies either (si >0 , Si,i) = («2, 0,^2,1) or (si >0 , Si,i) = (s 2 ,o, «2,o)) 

(s2,o,S2,i)[-P] = ^we or (s 2i0 , s 2 ,o)[P] = true 
iff (since (s2,o 5 s 2,o)[P] = true by assumption) 

(s2,o,S2,i)[-P] = true 
iff (by definition) 

a 2 ^P 

A symmetric argument gives the implication in the other direction. This proves that P is 
stuttering-insensitive. 

3. Let / be an action function. 

«i N o(f) 

iff (by definition) 

there is a step (s lyi ,a lyi+1 ,s lyi+1 ) in a x such that a M+1 G (si,;,Si,;+i)[[/] 
iff (since £ can never be in the range of an action function) 

there is a step (s M ,a M+ i,s M+ i) in a x such that a M+1 7^ £ and a M+1 G (si,;,Si,;+i)[[/] 
implies (by definition of ~) 

there is a step (s2j 5 a 2j+i 5 s 2,i+i) = ( s i,i? a i,i+i 5 s i,i+i) i n a 2 such that 

«2j+l G ( s 2j,S2j+l)[/] 

iff (by definition) 

« 2 N o(/) 

A symmetric argument gives the implication in the other direction. This proves that 0(/) 
is stuttering-insensitive. 

4. Assume that P and Q are stuttering-insensitive temporal formulas. 

(a) PWQ 

a^PWQ 
iff (by definition) 

there exists a k > such that (o^, k) \= Q and for every < i < k, (cii, i) \= P, 

or else, for all i > 0, (cii, i) |= P 
iff (by Lemma 3.1) 
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there exists a k > such that (al, k) \= Q and for every < i < k, (oi, i) \= P, 

or else, for all i > 0, (aii, i)\= P 
iff (by Lemma 3.2) 

there exists a k > such that k \al \= Q and for every < i < k, i\al \= P, 

or else, for all i > 0, i\a[ \= P 
implies (by Lemma 3.3 and the fact that P and Q are stuttering-insensitive) 

there exists a k' > such that k'\(*2 \= Q an d for every < i' < k' , i'\o2 \= P , 

or else, for all i' > 0, ii\a^ \= P 
iff (by Lemma 3.2) 

there exists a k' > such that (3^, A;') |= Q and for every < i' < k' , (3^, i 1 ) \= P, 

or else, for all i' > 0, (o^, i') |= P 
iff (by Lemma 3.1) 

there exists a £;' > such that (a 2 , k') \= Q and for every < i' < k' , (a 2 , i') |= P, 

or else, for all i' > 0, (a 2 , i') |= P 
iff (by definition) 

« 2 1= p yy g 

A symmetric argument gives the implication in the other direction. This proves that 
P W Q is stuttering-insensitive. 

(b) Vx : P 

Since o^ ~ a 2 , we have, for all values v, (oti)* — (ci 2 )^- 

ati \=\/x : P 
iff (by definition) 

for all values v, (oti)* \= P 
iff (since P is stuttering-insensitive and (oti)* — (a 2 )Ji) 

for all values v, (a 2 )J; |= P 
iff (by definition) 

a 2 \= Va; : P 

This proves that Va; : P is stuttering-insensitive. 

(c) 3x : P 

Similar to case \/x : P. 

(d) nP 

iff (by definition) 

ttl ^P 
iff (by the fact that P is stuttering-insensitive) 

a 2 \£P 
iff (by definition) 

a 2 |=-.P 

This proves that -iP is stuttering-insensitive. 

(e) p =>■ g 

Similar to case -iP. 



246 



B. Proofs from Part I 



B.2 Proofs in Chapter 4 

B.2.1 Untimed Systems 
Proof of Lemma 4.1: 

Let (V,A) be an arbitrary pair with V C V and A' C A and let a = s ais 1 a 2 s 2 • • • be an 
arbitrary execution over (V,A). Furthermore, let a' = a \ (V',.4') = s' a' 1 s' 1 a' 2 s' 2 ■ ■ ■ . Then 

r I a k if a k G .4' 

S ,= S ,rV anda, = | c ^^.^ 

We prove the lemma by structural induction on P. 

Base Case: 

In the base case P is a step formula over (V',.4'). We consider the two kinds of step formulas: 

• P = (/), where / is an action function over (V',.4'). 



iff 

iff 

iff 
iff 
iff 

iff 

iff 

iff 



«'i)N(/> 

by definition) 

< j < \a'\ and (sj, a' j+1 , s' j+1 ) \= (/)) or 

j > \a'\ and (s\ al] ,(,s\ al] ) \= (/)) 

by definition and the fact that ( can never be in the range of an action function) 

< j < \a'\ and a' j+1 G (^,^- +1 )[/]) or 

j > \a'\ and false) 

0<j< |a'|and^ +1 G(4,4 +1 )[/]) 

step 4; see below) 

< j < \a\ and a j+1 G (sj,s j+1 ){f]) 

< j < \a\ and a j+1 G (s i7 Sj+i)[/]) or 

j > \a\ and false) 

since £ can never be in the range of an action function) 

< j < \a\ and a j+1 G (sj,s j+1 ){fj) or 

j > \a\ and ( G (s|«|, S|«|)[/]) 

by definition) 

< j < \a\ and (sj,a j+1 ,s j+1 ) \= (/)) or 

j > |a| and (s H ,(,s\ a \) \= (/)) 

by definition) 

«,j)N(/> 



Step 4 above is justified as follows: first, \a'\ = \a\ by definition of \. Next, since s' = 
Sj\(V',A'), s' +1 = Sj + i \(V',A'), and / is an action function over (V',.4'), we have that 
(s'j,s'j+i)lf] = ( s ji s j+i)lf]- Finally, if a' j+1 = (, then a j+1 $ A' by definition of f, 
and since / is an action function over (V',.4'), we have a' +1 G (s', s j-+i)[/]) iff a j+i & 
(sj, Sj + i)lfJ). If a' +1 7^ C, then a' +1 = a,-+i. That suffices. 



P is a state transition predicate over (V',^1') 
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(<*',j)\=P 
iff (by definition) 

(0 < j < \a'\ and (sj, a' j+1 , s' j+1 ) \= P) or 

(j > \a'\ and (sf a ,|,C,S| a '|) \= P) 
iff (by definition) 

(0 < j < \ot'\ and (s'-,s'- +1 )[P] = true) or 

(j > | a' | and (s| a1 , S|„,|)[P] = irue) 
iff (step 3; see below) 

(0 < j < \ot\ and (sj, Sj+i)[-P] = true) or 

(j > |«| and (s|a|,S|«|)[P] = true) 
iff (by definition) 

(0 < j < \ot\ and (sj, <2j +1 , Sj +1 ) |= P) or 

(j > \a\ and (s| a |,C,S|«|) |= P) 
iff (by definition) 

(«,j)N^p 

Step 3 is justified as follows: first, \a'\ = \a\, by definition of \. Then, since P is a state 
transition predicate over (V',.4') and s' k = s k \(V ,A') for all k, the result directly follows. 

Inductive Step: 

Let Q be an arbitrary temporal formula over (V'q,A'q) and assume as induction hypothesis that 
for all pairs (Vq,Aq) with V'q C Vq and A'q C Aq, all executions aq over (Vq,^q), and all 
JQ > 0, 

K r(v^,^' Q ),Jo) NO iff (<*q,jq)\=Q 

Assume a similar induction hypothesis for the temporal formula R over (V R ,A' R ). We consider 
the different possibilities for P (cf. Section 3.5). 

• p = OQ 

(a\(V,A'),j)\=OQ 
iff (by definition) 

(a\(V,A'),j + l)\=Q 
iff (by the induction hypothesis) 

(a,j+l)\=Q 
iff (by definition) 

(<*,j)\=OQ 

• P = QW R 

Similar to case P = Q> Q. 

• P = Vx:Q 



(a\(V',A'),j)\=Vx:Q 
iff (by definition) 

for all values v, ((a \ (V,A')) x v ,j) \= Q 
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iff (by definition of \ and substitution) 

for all values v, « \ (V U {x},A'),j) \= Q 
iff (by the induction hypothesis) 

for all values v, {a x v ,j) \= Q 
iff (by definition) 

(a,j) \= Mx : Q 

• P = 3x :Q 

Similar to case P = \/x : Q. 

• P = (Q^ R) 

Similar to case P = Q> Q. 

• P = ^Q 

Similar to case P = Q Q- 



Proof of Lemma 4.3: 

=X Assume a\A, \= Qi for all i. Then since a\A, ~ a \ A, and Qi is stuttering-insensitive, we 
have a \ A, \= Qi, for all i. Then by Lemma 4.2, a \= Qi, for all i, and thus a \= Qi A . . . A Q^. 

<J^: Assume a \= Qi A . . . A Q^. Then a \= Qi, for all i, and Lemma 4.2 implies that 
a \ Ai \= Qi, for all i. Again, since a\A, ~ a \ A, and Qi is stuttering-insensitive, it follows that 
a\Ai \= Qi, for all i. 



Proof of Proposition 4.4: 

By Definition 2.9 we have L = {a £ exec(A) \ a\Ai G Li, . . . ,a\A N £ L N }. By definition of 
[ we know that if a £ exec(A), then a\A, £ exec(Ai), for all i. Thus, since Li is induced by 
Qi, we get L = {a £ exec(A) \ a\Ai \= Qi, . . . ,a\A N \= Qn}- By Lemma 4.3 we finally get 
L = {a £ exec(A) \ a\= Qi A . . . A Qn} which proves that L is induced by Qi A ... A Qn- 



Proof of Proposition 4.5: 

Let {Aj(,Lj() = (A,L) \A. The proof is trivial since, by Definitions 2.3 and 2.f0, exec(A^) 
exec(A) and L^ = L. 



Proof of Proposition 4.6: 

Let (A p , L p ) = p({A, L)). By Definition 2.11 we have (A p , L p ) = (p(A), {p(a) \ a £ L}). 

First note that since Q is a temporal formula over A, Definition 2.4 implies that p{Q) is a 
temporal formula over A p . 

Now, it is clear that a \= Q iff p(a) \= p{Q). Since also exec(A p ) = {p(a) \ a £ exec(A)}, it 
follows that L p = {a £ exec(A p ) \ a \= p(Q)}, which proves that L p is induced by p{Q). 
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B.2.2 Timed Systems 

Proof of Proposition 4.17: 

Let Li yS , for each 1 < i < N, be a sampling characterization of Li such that L iiS is induced by 
Qi. We have 

L = {Eet-exec° (A)\'E\A 1 eL 1 ,...,'E\A N eL N } 

= {EG f-ea;ec 00 (A) | (Vcii samples X |"Ai : cii G -^i, s ), • • • , 



3 



(\/a N samples X [Ajy : «i G £jv, s )} 
{X G f-ea;ec 00 (A) | Va samples X : a|"Ai G Li yS , . . . , a[Ajv G £jv iS } 



where Step 1 follows from Definition 2.26, Step 2 follows from the definition of sampling char- 
acterizations, and Step 3 follows from Lemma 4.15 Part 3. 

This proves (using Lemma 4.13 Part 2) that L is induced by L s = {a G exec 00 (A) \ a\Ai G 
i ls , . . . , a[~Ajv G L Ns }, and we have 

L, = {a G exec^iA) \ a\A 1 \= Q u ...,a\A N ^ Q N } 



2 



{a G exec°°(A) \ a \= Q x A • • • A Q N } 



where Step 1 follows from the definition of sampling characterization being induced by temporal 
formulas and Step 2 follows from Lemma 4.16. 



This proves that L s and, in turn, L are induced by Qi A . . . A Q 



N- 



Proof of Proposition 4.18: 

Let (A a, L^) = (A,L) \ A. The proof is trivial since, by Definitions 2.19 and 2.27, exec(Aj() 
exec(A), t-exec(A^) = t-exec(A), and L = L^.- 



Proof of Proposition 4.19: 

Let (A p , L p ) = p((A, L)) and let L s be a sampling characterization of L such that L s is induced 
by Q. By Definition 2.28 we have (A P ,L P ) = (p(A),{p(E) \ £ G L}). 

First note that since Q is a temporal formula over A, Definition 2.20 implies that p(Q) is a 
temporal formula over A p . 

Now, it is clear that exec(A p ) = {pa \ a G exec(A)} and that a \= Q iff p(a) \= p(Q). Thus, 
L PiS = {p(a) | a G L s } is induced by p(Q). Since also t-exec(A p ) = {pT, \ S G t-exec(A)} and a 
samples S iff p(a) samples p(S), we immediately get that L p is induced by L PiS . That suffices. 



B.2.3 Embedding 

Proof of Lemma 4.21: 

Since Q is a temporal formula over A, a is an execution over A p , variables(A) C variables(A p ), 
and acts(A) C acts(A p ), Lemma 4.1 yields 

(a \ (variables(A), acts(A)j) \= Q iff a \= Q (*) 



250 B. Proofs from Part I 

Furthermore, by definition of untime(a) we have untime(a) ~ (a \ (variables(A), acts(A))), and 
since Q is stuttering-insensitive we have 

untime(a) \= Q iff (a \ (variables(A), acts(A))) \= Q (**) 

Then (*) and (**) imply the result. 

■ 

Proof of Proposition 4.22: 

First note that since variables(A) C variables(A p ) and acts(A) C acts(A p ), Q is a temporal 
formula over A p . We have 

L p = {S£ t-exec°°(A p ) \ untime(Y<) £ L} 

= {S£ t-exec°°(Ap) \ untime(Y<) |= Q} 

= {S£ t-exec^^Ap) | for all a, if a samples X, then untime(a) \= Q} 

= {EG f-ea;ec 00 (Ap) | for all a, if a samples X, then a |= Q} 

where Step 1 follows from Definition 2.35, Step 2 follows from the fact that L is induced by 
Q (and untime(Y<) £ exec(A) by definition of untime), Step 3 follows Lemma 4.20, and Step 4 
follows from Lemma 4.21. 

This proves, by Lemma 4.13 Part 2, that L p is induced by Q. 

We show that Q is minimal. Thus, for arbitrary admissible execution a of A p with a \= Q, we 
must show the existence of a timed execution T, £ L p such that a samples S. 

Let a be an arbitrary admissible execution a of A p such that a \= Q. Let S be a timed 
execution of A p such that a samples S. By Lemmas 4.11 and 4.13 S exists and is admissible. By 
Lemma 4.20 untime(a) = untime(Y<) and Lemma 4.21 gives untime(a) \= Q. Thus, untime(Y<) \= 
Q, which implies untime(Y<) £ L. Then, by definition of L p (Definition 2.35), S £ L p . That 
suffices. 



B.3 Proofs in Chapter 5 

B.3.1 Untimed Systems 

Proof of Lemma 5.10: 

Let m be an arbitrary index mapping from a to a 1 with respect to R. 

=^: Assume a \= On-i(C). Then, by Lemma 3.5 Part 3, there exists an index i such that 
Aa \= D-i(C). Thus, no actions in C occur in trace(i\a). By Lemma 5.6 and the fact that C 
contains external actions only, no actions in C occur in the suffix m (i)\ a ' • Thus, m ^\a' \= D-i(C), 
which, by Lemma 3.5 Part 4, implies that a' \= On-i(C). That suffices. 

^=: Assume a' \= On-i(C). Then, by Lemma 3.5 Part 3, there exists an index j such that 
j\a' \= D-i(C). Now, by Condition 4 of Definition 5.4, there exists an i < \a\ such that m(i) > j. 
Then m ^\a' is a suffix of j\ot', and consequently, by Lemma 3.5 Part 1, m ^\a' \= D-i(C). 

Thus, no actions in C occur in trace( m ^\a'). By Lemma 5.6 and the fact that C contains 
external actions only, no actions in C occur in the suffix i\a. Thus, i\a \= D-i(C), which, by 
Lemma 3.5 Part 4, implies that a \= On-i(C). That suffices. 
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Proof of Lemma 5.11: 

Let m be an arbitrary index mapping from a to a 1 with respect to R. 

Assume a 1 \= C'OQ. Then, by Lemma 3.5 Part 3, there exists an index j such that Aa 1 \= OQ. 
Thus, for each state u in Aa' , we have u \= Q. Now, by Condition 4 of Definition 5.4 and the 
fact that m is nondecreasing, we get the existence of an index i such that for all i < k < \a\, 
m(k) > j. Then, for each state s of a with index k (i < k < \a\) we have s \= P since (by 
Condition 2 of Definition 5.4) there exists some u in Aa' such that (s,u) £ R. 

This gives us, for all k > 0, d\a,k) \= P. (Even if i\a is finite this is true since P holds in 
the stuttering step that stutters the last state since it holds in the last state.). Thus, i\a \= DP, 
which finally, by Lemma 3.5 Part 4, a \= OdP. 



Proof of Lemma 5.13: 

f . Let a = s ais 1 a 2 s 2 • • •. Let s h0 £ start(A h ) be such that s h0 \ variables(A) = s . Define 
a h0 = s h0 . Then a h0 \ (variables(A), acts(A)) = s . 

Define a hn inductively as follows. Assume a h ( n _i^ = Sfto a i s fti a 2 s ft2 • • - a n-i s ft(n-i) is an 
execution of A h such that a h ( n _i^ \ (variables(A), acts(A)) = a| n _i. Then, by Lemma 5.f2 
Part f, there exists a step (sh(„_i), a n , s hn ) £ steps(A h ). 
Define a hn = s h0 a 1 s hl a 2 s h2 . . .fl„_i^ (n _i)ffl n ^ n . Then a hn \ (variables(A), acts(A)) = a\ n . 

Then, a h = lim n ^|„| a hn has the required property. 
2. Directly from Lemma 5.f2 Part 2. 



Proof of Lemma 5.14: 

A C s A h : Let (3 £ traces(A) and let a £ exec(A) be such that trace(a) = (3. By Lemma 5.f3 
Part f there exists an execution a h £ exec(A h ) such that a h \(variables(A), acts(A)) = a. Then, 
since ext(A) = ext(A h ), we have trace(a h ) = trace(a) = (3. Thus, (3 £ traces(A h ). That suffices. 

Ah Es A Let (3 £ traces(A h ) and let a h £ exec(A h ) be such that trace(a h ) = (3. By Lemma 5.f3 
Part 2, a h \ A £ exec(A). Then, since ext(A) = ext(A h ), we have trace(a h ) = trace(a h \ A) = (3. 
Thus, (3 £ traces(A). That suffices. 



Proof of Lemma 5.15: 

(A, L) C L (A h ,L h ): Let (3 £ traces(L) and let a £ L be such that trace(a) = (3. By Lemma 5.f3 
Part f there exists an execution a h £ exec(A h ) such that a h \ A = a. Thus, by definition of L h 
we have a h £ L h , and since ext(A) = ext(A h ) we finally get trace(a h ) = trace(a) = (3, and thus, 
(3 £ traces(L h ). That suffices. 

(A h ,L h ) C L (A,L): Let (3 £ traces(L h ) and let a ft £ i ft be such that trace(a h ) = (3. By 
definition of L h , a h \ A £ L. Then, since ext(A) = ext(A h ), we have trace(a h ) = trace(a h \ A) = 
(3. Thus, (3 £ L. That suffices. 
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Proof of Lemma 5.16: 

We have 

L h = {a h G exec(A h ) \ a h \ A \= Q} 
= {a h G exec(A h ) \ a h \= Q} 

where the first equality follows from the definition of L h and Lemma 5.13 Part 2, and the last 
equality follows from Lemma 4.1. This shows that L h is induced by Q. 



B.3.2 Timed Systems 
Proof of Lemma 5.28: 

1. Let X = tjj aitjJia 2 tjJ2 • • •• Define h to be a value of h such that (fstate(uj) U[/ih h ]) G 
start(A h ). Define, for all t G dom(uj ), oj ho (t) \ variables(A) = u (t) and uj h0 (t).h = h . 
Then uj h0 is a trajectory of A h . 

Now we define uj hn inductively. By the properties of timed executions, (u n _i,a n ,u n ) G 
steps(A). Then by Lemma 5.27 Part 1 where exists a value h n such that (oj n _i U[Ah 
h n _i],a n ,u n U [h i— ► h n ]) G steps(A ft ). Then, for all t G dom(uj n ), define oj hn (t) \ 
variables(A) = u (t) and uj hn (t).h = h n . 

Then, T, h = cj ft0 a i^fti a 2^ft2 • • • is a timed execution of A p and T, h \ variables(A) = S. 

2. Directly from Lemma 5.27 Part 2. 
■ 

Proof of Lemma 5.32: 

Let L s be a sampling characterization of L such that L s is induced by Q and define 

£fc,« = {"ft G exec°°(A h ) \ a h \ A G i s } 

Similar to the proof of Lemma 5.16 it is easy to see that L hiS is induced by Q. It now suffices 
to show that L h is induced by L hs . We must check two conditions. 

1. Assume T, h G L h . We must show that for all a h that samples S ft , a h G i/ft, s - So, assume 
a h samples T, h . Since T, h is admissible, also a h is admissible by Lemma 4.13. Thus, by 
definition of L hiS it suffices to show that a h \ A G L s . 

Since T, h G ift, we have T, h \ A G L. Lemma 5.31 Part 1 gives a h \ A samples T, h \ A. Then 
a h \ A G L s since L s is a sampling characterization of i. That suffices. 

2. Assume S ft G ^-ea;ec 00 (A ft ) and for all a h samples T, h , a h G i/ft, s - We must show that 
Y< h G L h . By definition of L h it suffices to show that T, h \ A G L. 

Let a be an arbitrary execution of A such that a samples T, h \ A. Then Lemma 5.31 Part 
2 gives the existence of an execution a h of A h such that a = a h \ A and a h samples T, h . 
Thus, the assumption for this case implies a h G L hs . By Lemma 4.13 a h is admissible. 
Then the definition of L hiS implies that a G L s . Since a was arbitrary, the definition of 
sampling characterization implies that T, h \ A G L. That suffices. 

That concludes the proof. 



Appendix C 

Invariance Proofs 



In this chapter we prove the invariants stated in the G and C specifications. We use the normal 
proof technique: 

• Show that the invariant is satisfied in every initial state. 

• Assume the invariant and all previously proved invariants hold in a state s, and for all 
steps (s,a,s') show that the invariant holds in s' . 

Many of the invariants consist of several parts. We prove that the conjunction of these parts is 
an invariant. It follows that each conjunct (part) is then itself an invariant. All the parts of the 
invariants are of the form 

If C then P 

where, in some cases, C = true. For the sake of brevity we consider only, in the second part 
of the proof technique above, the steps that can change C from false to true or make P false 
while C is true since these are the only steps that might invalidate the invariant. We refer to 
such steps as the critical steps for the invariant (part). 

C.l Proof of Invariants at the G Level 

Proof of Invariant 8.1 

• Since mode s = idle in the initial states of G, it follows that both parts of the invariant 
are satisfied in the initial states. 

• We now consider the two parts separately 

1. We consider the critical steps. (Note that none of the steps in G can remove elements 
from used s ) 

a = choose_id(id,m) 

This step changes mode s to send but at the same time the new value of last s is 
appended to the end of used s , so Part 1 holds after the step. 

a G {receive_pkt rs (id,b), recover s } 

Both of these steps can change last s but at the same time mode s is changed to non- 
send, so Part 1 holds after the steps. 

253 
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2. The proof of this part follows directly from the proof of Part 1 and the fact the used s 
is a queue of IDs. (Remember that nil ^ ID). 



Proof of Invariant 8.2 

• Since mode s = idle and used s = e in initial states of G, both parts of the invariant hold 
in the initial states. 

• We assume that both parts hold in state s. For each part we consider the critical steps of 
the form (s, a,s'). 

1. a = prepare 

This step changes mode s to needid but at the same time good s is changed to 0, so 
Part 1 holds in s' . 

a = choose_id(id,m) 

This step adds an id to used s but at the same time mode s is changed to send, so Part 
1 holds in s' . 

a = grow _good s ( ids) 

We consider this case when s.mode s = needid. The step adds identifiers to used s but 
since s.mode s = needid the step can only add ids that do not intersect with s.used s . 
Thus, since Part 1 is assumed to hold in s, it also holds in s' . 

2. a = choose_id(id,m) 

This step adds the element id from s.good s to used s but since s.mode s = needid, the 
assumption that Part 1 holds in s gives us that id ^ s.used s . Thus Part 2 holds in s' . 



Proof of Invariant 8.3 

• Initially mode r = idle so the invariant holds. 

• Assume that the invariant holds in s. We now consider all the critical steps of the form 

(s,a,s'). 

1. a = receive _pkt sr (m, id) 

If this step changes mode r to rcvd, it also adds an element to buf r , so Part 1 holds in 

s'. 

a = receive _msg(m) 



This step can make buf r empty, but in this case, mode r is changed to ack, so Part 1 
holds in s' . 



Proof of Invariant 8.4 

• Part 1 holds initially because mode s = idle. issued r is initially a superset of good r thus 
satisfying Part 2. For Parts 3, 4, 5, and 6 the sets that are supposed to be subsets are 
initially empty, so the result follows. Since last r is initially nil, Parts 7 and 8 are also 
satisfied. 
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• For each part of the invariant we consider the critical steps (s, a, s'), where we assume that 
all parts of this invariant hold in s, and that previously proved invariants hold in both s 
and s' . (For Parts 1, 2, and 3, note that issued r can never shrink, and for Parts 4, 5, 6, 
and 8, note that used s can never shrink.) 

1. a = prepare 

This step changes mode s to needid, but at the same time good s is made empty, so 
Part 1 holds in s' . 

a = recover,. 



This step changes mode r from rec to nonrec (idle) but at the same time issued r is 
changed to some superset of good s , so Part 1 holds in s' . 

a = grow _good s ( ids) 

We consider the case where s.mode s = needid and s.mode r ^ rec. The step adds 
some elements to good s , but in the case we consider, the elements that are added are 
all in s. issued r ■ So, since we assume Part 1 holds in s, it also holds in s' . 

2. a = grow _good,( ids) 

This step adds elements to good r but at the same time the same elements are added 
to issued r . So, since we assume that Part 2 holds in s, it also holds in s' . 

3. a = recover. 



This step changes mode, from rec to non-rec, but at the same time issued, is changed 
to some superset of used s , so Part 3 holds in s' . 

a = prepare 

Consider this step when s.mode, ^ rec. We add an element id from s.good s to used s . 
From Part 1 we get that id belongs to s. issued, so adding id to used s does not violate 
Part 3. 

4. In the proof, we let id-set denote the set ids(sr) U (if mode s = send then {last s }) in 
any state of G. 

a = choose_id(id,m) 

This step changes mode s to send so s'.last s gets added to id-set, but from Invariant 8.1 
Part 1 we get that s'.last s £ s'.used s , so Part 4 is not violated. 

a = send_pkt sr (m, id) 

This step might add a packet to the channel (sr), but since a precondition for the step 
is s.mode s = send, the id on the packet is already in id-set, thus this step does not 
change id-set. So, since Part 4 holds in s, it also holds in s' . 

5. a = receive _pkt sr (m, id) 

This is the only step that may add an identifier to nack-buf s . The identifier id added 
is in ids(s.sr), so since we assume that Part 4 holds in state s we get that id G s.used s , 
so Part 5 is not violated. 
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6. a = send_pkt rs (id, true) 

This step can add a packet with identifier s.last to the return channel rs. The action 
is only possible if s.last r G ID, i.e., if s.last r j^ nil. But then Part 8 gives us that 
s.last, G s.used s , thus this step cannot violate Part 6. 

a = send _pkt rs ( id, false) 

This step can add a packet with an identifier from s.nack-buf to rs. From Part 5 in 
state s we get that this identifier is in s.used s , so the step cannot violate Part 6. 

7. a = receive _pkt s ,(m, id) 

This step can change last r to id which belongs to s.good r . However, at the same time 
id is removed from good r . It remains to be shown that id ^ s'.issued r . Since we 
assume that all parts of this invariant hold in s, Part 2 gives us that id G s. issued,. 
and since issued, is not changed in the step, we get id G s' . issued,. The result follows 
directly. 

a = recover. 



This step changes last, to nil. But since good-ids is a set of elements from ID and 
nil ^ ID, Part 7 holds in state s' . 

a = grow _good r ( ids) 

This step does not change good-ids, so Part 7 holds in state s' . 

8. a = receive _pkt s ,{m, id) 

This is the only step that can change last, to non-nil. last, is changed to an identifier 
id in a packet in s' .sr. From Part 4 in state s we get that id G s.used s , so since used s 
does not change in the step, Part 8 holds in state s' . 



Proof of Invariant 8.5 

• Initially sr = and mode s ^ send, so the invariant holds. 

• We consider the critical steps (s,a,s r ), where we assume that this invariant hold in s, 
and that previously proved invariants hold in both s and s' . Note that no step can 
change current- ms g s and end up in a state with mode s = send. Also, no step, except 
choose_id(id,m) can change last s and end up in a state with mode s = send. 

1. a = choose_id(id,m) 

This step changes mode s from needid to send. From Invariant 8.4 Part 4 we get that 
s.used s 5 ids(s.sr). From Invariant 8.2 Part 1 and the definition of choose_id(id,m) 
we then get that s'.last s ^ ids(s'.sr), so this step does not invalidate the invariant. 



Proof of Invariant 8.6 

• Initially current-ok = false, so all parts of the invariant hold. 
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• For each part of the invariant we consider the critical steps (s, a, s'), where we assume that 
all parts of this invariant hold in s, and that previously proved invariants hold in both 
s and s' . Note, for the Parts 3, 4, 6, and 7, that no step, except choose_id(id,m), can 
change last r without also changing mode s to something other that send. 

1. a = prepare 

This changes current-ok to true if s.mode r ^ rec, but at the same time mode s is 
changed to needid, so Part 1 holds in state s' . 

a = receive _pkt rs ( id ,b) 

In order for this step to change mode s to idle, we must have s.mode s = send and 
(s.last s ,b) & s.rs. In that case the step can only violate Part 1 if s. current-ok = true, 
but this cannot be the case since we assume that Part 4 holds in state s. Thus, the 
step cannot violate Part 1. 

a = crash. 



This step can change mode s from needid or send to rec, but at the same time 
current-ok is set to false, so Part 4 holds in state s 

2. a = prepare 

This step changes current-ok to true, but only if mode r ^ rec, so Part 2 holds in s. 

a = crash r 

This is the only step that can change mode r from non-rec to rec but at the same 
time current-ok is made false, so Part 2 holds in s. 

3. a = choose_id(id,m) 

This is the only step that can change the condition in Part 2 from false to true. This 
happens if s. current-ok = true. Since s.mode s = needid, Part 5 which we assume 
holds in s gives us that s'.last s G s.good r which again implies that s'.last s £ s'.good r . 
From Invariant 8.4 Part 7 we get that s' .last r ^ s'.good r . Thus s'.last s ^ s'.last r , so 
Part 3 holds in s' . 

a = receive _pkt sr (m, id) 

This step can make s' .last s = s' .last r but in this case curremt-ok is changed to false, 
so Part 3 holds in s' . 

a = recover,. 



Consider this step when mode s = send and current-ok = true. The step changes last r 
to nil but from Invariant 8.1 Part 2 we have s' .mode s ^ nil, so Part 3 holds in s' . 

4. a = choose_id(id,m) 

This is the only step that can change the condition in Part 2 from false to true. This 
happens if s. current-ok = true, so assume this. In state s we get from Invariant 8.4 
Part 6 that all ids on s.rs are in s.used s . From Invariant 8.2 Part 1 we get that s'.last s ^ 
s.used s . Since rs is not changed in the step, we finally conclude that (s 1 .last s , b) ^ s' .rs, 
so Part 4 holds in state s' . 
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a = send_pkt rs (id, true) 

Consider this action when mode s = send and current-ok = true. (s.last r , true) might 
be added to rs, but from Part 3 we get that Part 4 is not violated. 

a = send _pkt rs ( id, false) 

Consider this action when mode s = send and current-ok = true. A packet with an id 
from s.nack-buf r might be added to rs, but from Part 7 (which we assume holds in s) 
we get that Part 4 is not violated. 

5. a = prepare 

This step can make current-ok = true and mode s = needid but at the same time 
good s is made empty, so Part 5 holds in state s' . 

a = grow _good s ( ids) 

This step can only add elements from good r to good s when current-ok = true and 
mode s = needid, so Part 5 holds in state s' . 

a = shrink _good r ( ids) 

This step can only remove elements not in good s from good r when current-ok = true 
and mode s = needid, so Part 5 holds in state s' . 

6. a = choose_id(id,m) 

Consider this step when s. current-ok = true. The step changes mode s to send and 
changes last s to a value from s.good s . Since s.mode s = needid, Part 5 gives us that 
s'. last s & s.good r , so since good r is not changed in the step, Part 6 holds in s' . 

a = shrink _good r ( ids) 

When current-ok = true and mode s = send, this step cannot remove s.last s from 
good r , so Part 6 holds in s' . 

7. a = choose_id(id,m) 

Consider this step when s. current-ok = true. The step changes mode s to send and 
changes last s to a value from s.good s . Since s.mode s = needid, Invariant 8.2 Part 1 
gives us that s'.last s ^ s.used s . From Invariant 8.4 Part 5 we then get that s'.last s ^ 
s.nack-buf r which again implies s' .last s ^ s' .nack-buf r since nack-buf r is not changed 
in the step. So, Part 7 holds in state s' . 

a = receive _pkt sr (m, id) 

This step can add an identifier to nack-buf r . Assume s. current-ok = true and 
s.mode s = send. We must show that s.last s (= s' .last s ) cannot be added to nack-buf r 
under these assumptions. From Part 6 we have that that s.last s £ s.good r , so from the 
definition of receive _pkt sr (m, id) we get that nack-buf r is not changed. Thus, Part 7 
holds in state s' . 



Proof of Invariant 8.7 

Parts 1 and 2 are reformulations of Invariant 8.6 Parts 3 resp. 4. 
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Proof of Invariant 8.8 

• Since initially mode s = idle and current- ack s = false, all parts hold. 

• For each part of the invariant we consider the critical steps (s, a, s'), where we assume that 
all parts of this invariant hold in s, and that previously proved invariants hold in both s 
and s'. Note, for the Parts 1, 2, and 3 that no step, except choose_id(id,m), can change 
last r without also changing mode s to something other that send. Note also that no steps 
can make good-ids grow, good-ids can only shrink. 

1. a = choose _id(id,m) 

This step changes mode s to send. In state s we get from Invariant 8.4 Part 4 that 
s.used s D ids(sr). From the definition of choose_id(id, m) we see that s' .last s is placed 
at the end of used s , thus by the definition of the partial order of identifiers we see that 
Part 1 holds in s' . 

a = send_pkt sr (m, id) 

This step might add (to, s.last s ) to sr while mode s = send. But since Part 1 is assumed 
to hold in s, it is obvious that it also holds in s' . 

2. a = choose_id(id,m) 

Although this step changes mode s from needid to send, it does not make last s = last r . 
To see why this is so, note that either s' .last, = nil in which case the result follows 
directly (since s'.last s ^ nil by Invariant 8.1 Part 1) or s' .last r = s.last r j^ nil in 
which case Invariant 8.4 Part 8 implies that s' .last, G s.used s and Invariant 8.2 Part 1 
implies that s'.last s ^ s.used s , so again the result follows. Thus, Part 2 holds in s' . 

a = receive _pkt sr (m, id) 

Consider the case where s.mode s = s' .mode s = send, id = s.last s = s'.last s G s.good r , 
and s.mode r = s' .mode r ^ rec. In this case we get s'.last s = s'.last r . We must 
show that ({s' .last s } U ids(s' .sr)) n s' .good-ids = 0. From Invariant 8.4 Parts 3 and 
4 we get that s' .issued,. D {s'.last s } U ids(s'.sr). So what remains to be shown is 
that ({s' .last s } U ids(s' .sr)) n s.good r = 0. From Part 1 we get that id > ({s.last s } U 
ids(s.sr)). Since we remove all identifiers less than or equal to id from good s in this 
step, and since Invariant 8.4 Part 4 ensures that all packets in sr have identifiers that 
are related to id, the result follows. Thus, Part 2 holds in s' . 

a = send_pkt sr (m, id) 

This step can change sr, but only with a packet with the identifier s.last s . Since we 
assume that this Part 2 holds in s, it follows that it also holds in s' . 

3. a = choose_id(id,m) 

Although this step changes mode s from needid to send, it does not make the packet 
(s' .lasts, true) belong to s' .rs. We show why this is so. Since rs is not changed in the 
step, we get from Invariant 8.4 Part 6 that s.used s 5 ids(s'.rs). Invariant 8.2 Part 1 
together with the definition of choose_id(id,m) gives us s' .last s £ s.used s . Thus we 
get s' .lasts ^ ids(s' .rs) which gives the result. So, Part 3 holds in s' . 
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a = send_pkt rs (id, true) 

Consider this step while s.mode s = s' .mode s = send and id = s.last r = s.last s = 
s' .last s . The step might succeed in putting the packet (V .last s , true) into the channel. 
We show that ({s'.last s } U ids(s'.sr)) n s' .good-ids = 0. From Part 2 we get that 
({s.last s }L)ids(s.sr))P\s. good-ids = 0. Since neither last s , sr, nor good-ids are changed 
in the step, the result follows directly. So, Part 3 holds in s' . 

a = send_pkt sr (m, id) 

This step can change sr, but only with a packet with the identifier s.last s . Since we 
assume that this Part 2 holds in s, it follows that it also holds in s' . 

4. a = receive_pkt rs (id,b) 

This step can change mode s to idle and current-ack s to true if b = true and id = 
s.lasts, thus, (s.lasts, true) must be on s.rs. Then Part 3 implies that ids(s.sr) n 
good-ids = 0. It now directly follows that Part 4 holds in state s' . 



Proof of Invariant 8.9 

• Since initially buf r = e, all parts of the invariant hold. 

• For each part of the invariant we consider the critical steps (s, a, s'), where we assume that 
all parts of this invariant hold in s, and that previously proved invariants hold in both s 
and s' . 

1. a = recover,. 



This step changes mode r to idle but at the same time buf r is made empty, so Part 1 
holds in s' . 

a = send_pkt rs (id, true) 

This step can change mode r to idle, but from Part 2 in state s we get buf r = e, so 
Part 1 holds in s' . 

a = cleanup r 

This step changes mode r to idle but since s.mode r G {idle,ack} from the precondi- 
tion, this part and Part 2 imply that buf r was already empty. Thus, Part 1 holds in 
s'. 

2. a = receive _pkt ST (m, id) 

We consider this step in two different situations 

— The step can make buf r nonempty but at the same time mode r is changed to 
rcvd. 

— The step can change mode r from idle to ack, but then Part 1 implies that buf r 
was already false. 

So, Part 2 holds in state s' . 
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a = receive _msg(m) 



This step can change mode r to ack but this only happens if s'.buf r = e, so Part 2 
holds in state s' . 

3. a = choose_id(id,m) 

Although this step makes mode s = send, it does not make the packet (V '.last s , true) 
belong to s' .rs. The argument is the same as for the corresponding case in the proof 
of Invariant 8.8 Part 3. So, Part 3 holds in state s' . 

a = send_pkt rs (id, true) 

This step can put (s'.last s , true) into rs but since s.mode r = ack, Part 2 gives us that 
s.buf r ( = s'.buf r ) = £ - So, Part 3 holds in state s' . 

a = receive _pkt sr (m, id) 

This step might add an element to buf r . We show that this cannot happen while 
mode s = send and (last s , true) £ rs. If an element is added to buf r in the step, then 
id £ s.good r , i.e., ids(s.sr) U s. good-ids ^ but this contradicts Invariant 8.8 Part 3. 
So, Part 3 holds in state s' . 

4. a = receive jpkt rs (id, true) 

Consider this step when id = s.last s . Then (s. last s , true) £ s.rs. Since s.mode s = 
send, Part 3 implies that s.buf r = e which in turn implies that s'.buf r = e. So, Part 4 
holds in state s' . 

a = receive _pkt sr (m, id) 

This step might add an element to buf r . The argument that this cannot happen while 
mode s = idle and current- ack s = true is similar to the argument in the corresponding 
case in the proof of Part 3, only in this case we get a contradiction with Invariant 8.8 
Part 4. So, Part 4 holds in state s' . 



Proof of Invariant 8.10 

• Initially nack-buf r = £ and rs = 0, so the parts hold. 

• For each part of the invariant we consider the critical steps (s, a, s'), where we assume that 
all parts of this invariant hold in s, and that previously proved invariants hold in both s 
and s' . Note, that no steps can make good-ids grow. 

1. a = receive _pkt sr (m, id) 

Consider this step when s.mode r j^ rec and id ^ s.good r . Then id might be added to 
nack-buf r . Since id ^ s.good r and good r is unchanged in the step we get s' .nack-buf r Pi 
s' .good r = (since we assume that this Part 1 holds in s). From Invariant 8.4 Parts 3 
and 5 it follows that s' .nack-buf r fl s' .issued r = 0. So, Part 1 holds in state s' . 

2. a = send_pkt rs (id, true) 

This step might add (last r ,true) to rs but from Invariant 8.4 Part 7 we get that 
last r $. good-ids, so this step cannot violate Part 2. 
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a = send _pkt rs ( id, false) 

Then id £ s.nack-buf ' r , so Part 1 directly gives us that this step cannot violate Part 2. 

■ 

Proof of Invariant 8.11 

• Initially mode s = idle so both parts hold. 

• For each part of the invariant we consider the critical steps (s, a, s'), where we assume that 
both parts of this invariant hold in s, and that previously proved invariants hold in both s 
and s' . Note, no action, except choose _id(id,m), can change last s without also changing 
mode s to non-send. Also, from Invariant 8.1 Part 2 we get that all steps that change last r 
to nil are not critical. 

1. a = choose _id(id,m) 

Although this step changes mode s to send, it does not make the packet s 1 ' .last s belong 
to s' .nack-buf r . We show why this is so. Invariant 8.2 Part 1 implies that s'.last s ^ 
s.used s . From Invariant 8.4 Part 5 and the fact that nack-buf r is not changed in the 
step, we get that s.used s D s' .nack-buf r , which gives the result. So, Part 1 holds in 
state s' . 

a = receive _pkt(m, id) 
We consider two cases. 

— Consider the step when id = last s . Then last s can be added to nack-buf r but this 
can only happen if last s ^ last r , so Part 1 is not violated. 

— Consider the step when s.mode r ^ rec, id = last s , and last s £ s.good r . Then 
s'.last s = s'.last r . We show that then s.last s ^ s.nack-buf r (which is the same as 
showing s'.last s ^ s' .nack-buf r ). First assume s.last s £ s.nack-buf r . Then Invari- 
ant 8.10 Part 1 implies that s.last s £ s.good r , but this contradicts the assumption 
that lasts £ s.good r . Thus, Part 1 holds in state s' . 

2. a = choose_id(id,m) 

Although this step changes mode s to send, it does not make the packet (V .last s , false) 
belong to s' .rs. The argument that this is so is similar to the argument in the corre- 
sponding case in the proof of Invariant 8.8 Part 3. So, Part 2 holds in state s' . 

a = send _pkt rs ( id, false) 

Consider this step when id = last s , i.e., last s is first on s.nack-buf r . Then Part 1 
implies that s.last s j^ s.last r , so, since neither last s nor last r change in the step, 
Part 2 holds in state s' . 

a = receive _pkt sr {m, id) 

Assume s.mode r ^ rec and last s = id £ s.good r . Then s' .last r = s'.last s . We show 
that then (last s , false) ^ rs. First assume (last s , false) £ rs. Then Invariant 8.10 
Part 2 implies that last s $. s. good-ids, but this contradicts the assumption that last s £ 
s.good r . Thus, Part 2 holds in state s'. 
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Proof of Invariant 8.12 

• The invariant is explicitly required to hold in all start states. 

• We consider the critical steps (s, a, s), where we assume that the invariant holds in s' , and 
that previously proved invariants hold in both s' and s. 

1. a = recover,, or a = shrink _good r ( ids) 

These steps explicitly require the invariant to hold in s. 



C.2 Proof of Invariants at the C Level 

In this section we prove the invariants of Aq presented in Section 10.5.2. As above we prove 
the invariants by induction, proving that they hold in the (unique) start state and that all steps 
preserve the invariants. As above, in the inductive step of the inductive arguments we only 
consider "critical steps" that might invalidate the invariant. 
In the proofs the steps have the form (s, a, s'). 

Proof of Invariant 10.1 

• Initially all the involved variables are 0, so all parts hold. 

• 1. a = tick s (t) 

This step changes both ctime s and time s to t. 

2. a = tick r (t) 

This step changes both ctime r and time r to t. 

3. a = v 

The precondition on the time-passing steps of the clock subsystem (and thus on all of 
C) ensures that \s'.ctime s — s' .now\ < e. Part 1 then gives the result. 

4. a = v 

The precondition on the time-passing steps of the clock subsystem (and thus on all of 
C) ensures that \s'.ctime r — s'.now\ < e. Part 2 then gives the result. 

5. Parts 3 and 4 directly implies the result. 



Proof of Invariant 10.2 

• Initially upper r = (3 > 2e + l' r > 2e. Since initially now = time s = time r = 0, all the 
invariants hold. 

• 1. a = recover r 



This makes s' .mode r ^ rec but at the same time s' .upper r = s' .time r +/3 > s' .time r + 
2e + V r > s' .now + e + l' r , where the last inequality follows from Invariant 10.1 Part 4. 

a = increase-upper r (t) 



As for the previous case, s' .upper r > s' .now + e + l' r . 
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Assume s.mode r ^ rec. From the upper time bound on the class Cq , 2 consist- 
ing of all increase-upper, (t) actions we have s' .now < s.last(C c , 2 ). The variable 
last(C c , 2 ) is set to now + V, whenever a recover,, step occurs (since then Cq , 2 be- 
comes enabled) or a increase-upper ,(t) step occurs (since then increase-upper ,(t) be- 
comes reenabled). Now, since we assume s.mode r ^ rec, let now and upper r0 denote 
real time and upper r right after the last recover , or increase-upper ,(t) step. Then 
s' .now < s.last(C Cr2 ) = now + l' r , so, now > s' .now — l' r . Now, from the recover, 
and increase-upper ,(t) cases above we finally get s' .upper, = upper, > now + c+l' r > 
(s' .now — l' r ) + e + l' r = s' .now + e. 

Note: We are here actually departing from our normal way of proving invariants 
since we use more information, like now , than is available in s. What we could have 
done was to introduce a history variables now that is set to now in recover, and 
increase-upper ,(t) steps. We could then easily have proved the invariants 

If mode, j^ rec then lastiC^ , 2 ) = now + l' r and now < now + l' r 

s' .upper, > now + e + l' r 

from which the result would follow. 

We go through the same arguments but have chosen, for brevity, to avoid explicitly 

introducing the extra history variable. 

2. This part follows directly from Part 1 and Invariant 10.1 Part 3. 

3. This part follows directly from Part 1 and Invariant 10.1 Part 4. 



Proof of Invariant 10.3 



• 



• 



Initially last s = time s = and mode s = idle, so both parts hold. 

1. a G {choose _id(t), recover s , tick s (t)} 

All such steps clearly preserve this part. 

2. a = chooseJd(t) 

Changes mode s to send but also explicitly sets s' .last s = t > s.last s > 0. 



Proof of Invariant 10.4 

Straightforward. 

■ 

Proof of Invariant 10.5 

Straightforward. 

■ 

Proof of Invariant 10.6 

Straightforward. 
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Proof of Invariant 10.7 

• Initially lower y = time s = last s = 0, so both parts of the invariant hold. 

• 1. No steps can make time s smaller, so we need only check the steps that make lower r 

bigger. 

a = recover r 



Then s' .lower r = s.upper r and s.upper r + 2e < s.time r . Therefore, s' .lower r < 
s.time r — 2e < s.time s = s'.time s , where we have used Invariant 10.1 Part 5. 

a = increase-lower r (t) 



Then s' .lower r < s.time r — p < s.time r — (kl s + d + 2e) < s.time r — 2e < s.time s = 
s'.time s , where we again have used Invariant 10.1 Part 5. 

a = receive _pkt sr (m,t) 

The only way for lower r to increase is for s' .lower r = t but then, since ((ra,i),_) G s.sr, 
Invariants 10.6 Part 1 and 10.3 Part 1 imply that s' .lower r < s.last s < s.time s = 
s' .time s . 

a G {recover,., increase-lower r (t)} 

Same argument as for the previous part. 

a = receive _pkt sr (m,t) 

Assume s'.last s < s'.time s . Since s.last s = s' .last s and s.time s = s'.time s , we also 
have s.last s < s.time s . The only way for lower r to increase is for s' .lower r = t but 
then, since ((ra,i),_) G s.sr, Invariants 10.6 Part 1 implies that s' .lower r < s.last s < 
s.time s = s'.time s . 

a = tick J t) 



Assume s' .last s < s'.time s . From Invariant 10.3 Part 1 we have s.last s < s.time s . We 
consider cases: 

— s.last s < s.times 

Then s. lower r < s.time s by the inductive hypothesis, so we have s' .lower r = 
s. lower r < s.times < s'.time s , as needed, where the last inequality follows from 
the definition of tick s {t). 

— s.lasts = s.time s 

Then since s.last s = s' .last < s' .time s we have s.time < s' .time. Since s' .lower r = 
s.lower r , and s. lower r < s.time s by Part 1, we have s' .lower < s'.time s , as needed. 



Proof of Invariant 10.8 

Straightforward. 

■ 

Proof of Invariant 10.9 

Straightforward. 
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Proof of Invariant 10.10 

• Initially deadline = oo and now = 0, and since mode s = idle we have bound = oo, so all 
parts hold. 

• 1. a = chooseJd(t) 

Then s'.last s = t. Let m = s' .current-msg s . 

If s.mode r = s' .mode r = rec then s' .deadline = s. deadline and the induction hypoth- 
esis Part 7 implies that s. deadline = oo, so we are done. 

So, assume s.mode r ^ rec. From the precondition of chooseJd(t) we have t > 
s.last s . Now Invariants 10.5 Part 1 and 10.6 Part 1 imply, since s'. count sr (m,t) = 
s. count sr (m,t) and s' .rs = s.rs, that s'. count sr (m,t) = and (m,t) ^ packets(s'.sr). 
Now, since Cq s becomes reenabled in s' we have s' .last(C'Q s = s' .now + l s . Thus, 

s' .bound = s' .last(C H c s ) + (k — 1 — s' . count sr (m,t))l s + d 
= s' .now + l s + (k — l)/ s + d 
= s' .deadline 

That suffices. 

a = send_pkt sr (m,t) 
We consider cases 

— (m,t) G packets(s.sr) 

Then s' .bound = s. bound since the mintime of the (p,t) packets does not change. 
Since also s' .deadline = s. deadline, the result follows. 

— (m,t) £ packets(s.sr) 

* (m,t) ^ packets(s'.sr) 

Then s' .count sr (m,t) = s. count sr (m,t) + 1. We now have 

s' .bound = s' .last(C'Q s ) + (k — 1 — s' .count sr (m, t))l s + d 
= s' .now + l s + (k — 1 — s' .count sr (m,t))l s + d 
= s' .now + (k — 1 — s. count sr (m,t))l s + d 
< s.last(Cc s ) + (k — 1 — s. count sr (m, t))l s + d 
= s. bound 
The induction hypothesis Part 1 now implies 

s' .deadline = s. deadline > s. bound > s' .bound 

* (m,t) G packets(s'.sr) 

Then s' .bound = d + s' .now and 

s. bound = s.last(C'Q s ) + (k — 1 — s. count sr (m,t))l s + d 



s.last(CQ 


,) + (k 


s.last(CQ 


.) + d 


s' .now + d 


s' .bound 





where the first inequality follows from Invariant 10.5 Part 2 and the second 
inequality follows from facts that time cannot pass beyond any last(C) variable 
and s' .now = s.now. 
The induction hypothesis Part 1 now implies 

s' .deadline = s. deadline > s. bound > s' .bound 
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a = receive _pkt sr (m,t) 

For such a step to change either bound or deadline, i.e., for such a step to be able to 

invalidate the invariant part under consideration, we must have s.mode s = send( = 

s' .mode s ) and t = s.last s (= s'.last s ). Invariant 10.6 Part 2 then implies that m = 

s. cur rent- msg s (= s' .cur rent- msg s ). 

If s. deadline = oo, then also s' .deadline = oo and the result follows. 

So, assume s. deadline ^ oo. The induction hypothesis Part 7 then implies s.mode r ^ 

rec. 

We now show that s. lower r < t < s. upper r . 

The lower bound follows from the induction hypothesis Part 6 and the fact that 

t = s.last s . 

For the upper bound we have from Invariants 10.2 Part 2 and 10.3 Part 1 that 

s.upper r > s.time s > s.last s = t. 

Then from the definition of receive _pkt sr (m,t) we see that s' .deadline = oo, and the 

result follows. 

a = receive _pkt rs (t,b) 

For such a step to be able to invalidate the invariant part under consideration, we 
must have s.mode s = send and s.last s = t. 

Then Invariant 10.6 Part 6 implies that s.last s = t < s.lower r , but then the induction 
hypothesis Part 6 implies that s' .deadline = s. deadline = oo. That suffices. 

2. a = chooseJd(t) 

Then Invariant 10.5 Part 1 and the definitions of bound and last(C'Q s ) imply that 

s' .bound = s' .now + l s + (k — l)l s + d > s' .now 

a = send_pkt sr (m,t) 
We consider cases 

— (m,t) G packets(s' .sr) 

* (m,t) G packets(s.sr) Then s' .bound = s. bound (uses the fact that Invari- 
ant 10.9 Part 1 implies that mintime((m,t),s'.sr) = mintime((m,t), s.sr)), so 
the result follows from the induction hypothesis. 

* (m,t) ^ packets(s.sr) Then s' .bound = s' .now + d > s' .now. 

— (m,t) ^ packets(s' .sr) Then s' .last(C'Q s ) = s' .now + l s , so Invariant 10.5 Part 2 
implies 

s' .bound = s' .now + l s + (k — 1 — s' .count sr (m,t))l s + d > s' .now 

receive _pkt sr (m, t) 



For such a step to change bound we must have s.mode s = send, s.last s = t, and 

s. cur rent- msg s = m. In all other cases the induction hypothesis immediately gives the 

result. 

The step removes ((m,t),t r ), for some t' , from sr. If t' j^ mintime((m,t), s.sr) then 

s' .bound = s. bound, and again the induction hypothesis gives the result. So, assume 

t' = mintime((m,t), s.sr). 

We consider cases 
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— (m,t) G packets(s' .sr 

Then mintime((m,t),s'.sr) > mintime((m,t), s.sr) which implies that s' .bound > 
s. bound and the result follows. 

— (m,t) £ packets(s' .sr 

Then, since s' .last(C'Q s ) > s' .now we have (with a little help from Invariant 10.5 
Part 2) 

s' .bound = s' .last(C'Q s ) + (k — 1 — s' .count sr (m, t))l s + d > s' .now 

a = v 

If s.mode s = s' .mode s ^ send, then s' .bound = oo and the result follows. So, assume 

s.mode s = s' .mode s = send 

Let m = s.current-msg s = s' .currnet-msg s and t = s.last s = s'.last s . We consider 

cases 

— (m,t) G packets(s.sr) 

Then ((m,t),mintime((m,t),s.sr)) G s.sr and from the precondition of the time 
passing steps of the channel sr we have s' .now < mintime((m,t),s.sr). Thus, 
since s' .sr = s.sr, 

s' .now < mintime((m,t), s.sr) < mintime((m,t),s'.sr) + d = s' .bound 

— (m,t) £ packets(s.sr) 

Then, since s' .last(C'Q s ) > s' .now we have (with a little help from Invariant 10.5 
Part 2) 

s' .bound = s' .last(CQ s ) + (k — 1 — s' .count sr (m, t))l s + d > s' .now 

3. This part follows directly from Parts 1 and 2. 

4. a = chooseJd(t) 

If s.mode r = rec then s' .deadline = s. deadline = oo, by the induction hypothesis 
Part 7, so the result follows. 

So, assume s.mode r < rec. Then s' .deadline = s' .now + kl s + d and s' .last s = s'.time s . 
Invariant 10.1 Part 3 then implies that s' .deadline < s'.last s + e + kl s + d. 

a = recover. 



Then the induction hypothesis Part 7 implies that s. deadline = oo, and since we have 
s' .deadline = s. deadline, the result follows. 

5. This part follows directly from Parts 3 and 4. 

6. a G {recover s , recover,.} 

Then by the induction hypothesis Part 7 we have s' .deadline = s. deadline = oo. That 
suffices. 

a = chooseJd(t) 

Then s' .last s = s'.time s = s.time s > s.last s , by definition of choose Jd. By Invari- 
ant 10.7 Part 2, s. lower r < s.time s . But since s' .lower r = s. lower r and s.time s = 
s'.last s , we have s' .lower r < s'.last s , as needed. 
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increase-lower r (t) 



We only need to check such steps when s' .deadline = s. deadline ^ oo. 
By definition of increase-lower r (t) , we have s' .lower r < s' .time r — p < s 1 .time r — 
(kl s + d + 2e). It suffices to show that this is less than or equal to s'.last s . Since 
s' .deadline ^ oo, Part 5 implies that s' .now < s' .last s + e + kl s + d. By Invariant 10. 1 
Part 4, we know that s' .time r < s'.now + e. Therefore, s' .time r < s' .last s -\-kl s -\-d-\-2e. 
This suffices. 

a = receive _pkt sr (m,t) 

This increases lower y if s.mode r j^ rec and s. lower r < t < s. upper r . 

If s. deadline = oo then also s' .deadline = oo and the result follows. 

So assume s. deadline ^ oo. Then induction hypothesis Part 7 implies that s.mode s = 

send. Now, if t = s.last s then s' .deadline = oo and the result follows. If i ^ s.last s , 

then Invariant 10.6 Part I implies that t < s.last s . Then, since s' .lower r = t and 

s'.last s = s.last s , we get s' .lower r < s'.last s , as needed. 

7. Straightforward except for the case a = receive jpkt rs (t,b). 

a = receive _pkt rs (t,b) 

This may invalidate the invariant by changing mode s to idle if we have t = s.last s 

and s.mode s = send. 

Invariant 10.6 Part 6 implies that s.last s < s. lower r . From the induction hypothesis 

Part 6 we then get s. deadline = oo, and since s' .deadline = s. deadline the result 

follows. 



Proof of Invariant 10.12 

Straightforward. 

■ 

Proof of Invariant 10.13 

Straightforward. 



